03-05-2014 06:03 PM
I'm currently working on a configuration entailing WLC and ISE where the customer wants a single SSID,and wants his wireless clients to authenticate successfully if they pass a registry key compliance. Additionally, they want clients to received a different IP address or get mapped to a different DHCP scope based on the Microsoft AD group they belong too. for example:
- Client authenticating with registry key and in AD group ABC that passes authentication gets IP address or subnet for belonging to their specific AD group ABC.
- Client authenticating with registry key and in AD group XXX that passes authentication gets an IP address or subnet belonging to their specific AD group XXX.
Is this doable? Can we mapp users to specific DHCP scopes based on AD memberships, and if so how, what attributed need to be tagged or exchange between CPPM and MS AD and not sure if the WLC would also need any specific configs to enable this?
Clients---->WLC------>CPPM-----> MS AD ( groups ABC, XXXX, YYY )
currently using EAP-PEAP/MSCHAPv2
Does anyone have any idea or pointers or can refer me somewhere that I can read on how to accomplish this? Not sure on how to do the registry compliance check nor what attributes will allow me to map the client to a DHCP Scope based on this AD group membership?
03-05-2014 06:08 PM - edited 03-05-2014 06:18 PM
You will need the ClearPass OnGuard or Enterprise license to check and/or remediate registry keys.
You have two options for checking AD group membership:
- Role Mapping
- This option tags an internal ClearPass role. For example, if you were checking for an AD group called HR, you could create a ClearPass TIPS role called USER_HR which could be reused in other services and other decisions. This data can also be cached for X amount of time.
- Direct check in enforcement policy
- This option will check membership for every authentication request and can make your enforcement policy a litte bit more complicated.
You can then use this information to map the device to a VLAN (DHCP scope)
Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
03-05-2014 06:57 PM
In addition to Tim setup you can do the following with Onguard:
Define the Posture Policy
You could create a Web Auth service that requires authentication with AD and you can use it with either Persistent Agent or dissolvable agent
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA