Security

last person joined: 8 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

CoA on EndPoint Change

This thread has been viewed 9 times

  • 1.  CoA on EndPoint Change

    Posted Jul 19, 2017 03:25 PM

    In our environment, we have:

    • ClearPass cluster
    • Aruba controllers
    • EfficientIP IPAM and Self-Registration

    We are attempting to create an open wireless network where devices need to be registered in the IPAM before they get more than access to the captive portal.

     

    One use case that we have not been able to solve is this:

    1. User connects a ROKU Streaming Stick to the Open network.  The stick doesn't work as it's not registered yet.
    2. User registers the device in the EfficientIP Self-Registration.
    3. EfficientIP sends two API calls to ClearPass.  The first sets certain attributes on the Endpoint for the ROKU (timestamp, username, etc).  The second creates a Guest Device for eventual AirGroup use.
    4. ROKU won't work until the session times out and ClearPass runs through it's steps again.  Based on the new Endpoint Attributes, ClearPass applies the "media-device" rule and all is well.

    Ideally, we'd like to be able to trigger a CoA via an API call to ClearPass.  In investigating, we see that POST /api/device/ can trigger a CoA when you append "?change_of_authorization=true" to the URL.  However as we are creating and destroying rather than editing a Guest Device, we see the message "User 'B0-EE-7B-97-7F-33' not present in [Guest Device Repository](localhost)" in Access Tracker.  So no go there.

     

    I had read somewhere - perhaps mistakenly - that PATCH /api/endpoint/mac-address can trigger a CoA with the similar "?change_of_authorization=true" appended.  Alas, this does not appear to work.

     

    So I'm looking for some methodology so that I can trigger a CoA either in tandem with one of the above API calls (POST /api/device/ or PATCH /api/endpoint/mac-address/) - or a standalong API call.

    I did try "https://<CPPM>/async_netd/cmdctrl/apply_coaprof_clntlist" which I found in this community - but it didn't work on CPPM 6.6.5

     

    Any thoughts - as this is a headscratcher...



  • 2.  RE: CoA on EndPoint Change

    EMPLOYEE
    Posted Jul 20, 2017 09:35 AM

    Ben,

     

    When change_of_authorization = true is passed in the API call for a device creation, ClearPass will generate an internal WEBAUTH which can then be used to trigger the disconnect or CoA.

     

    Here's an example of a service that's used to catch those events. The enforcement policy should have whichever disconnect or CoA enforcement are required for the network devices in use.

     

    Screen Shot 2017-07-19 at 3.28.34 PM.png

     

    Screen Shot 2017-07-19 at 3.28.42 PM.png

     

    Also, just for your reference, the API calls for Disconnect and CoA are:

    POST /session/{id}/disconnect

    POST /session/{id}/reauthorize

    Be sure to check API Explorer for the details about those two endpoints.



  • 3.  RE: CoA on EndPoint Change

    Posted Jul 20, 2017 04:35 PM

    1) All Endpoints, Guest Devices and IPAM entries are deleted ; Roku is factory defaulted.
    2) Turn on Roku
    3) Roku attempts to connect to open SSID.  Here's the configuration as the Access Tracker sees it.

    Step2.png

    4) Roku is registered in IPAM
    5) IPAM Triggers update to Endpoint via PATCH /api/endpoint/mac-address/XXXXXXXXXXXX and the following JSON:
    {
    "status": "Known",
    "attributes": {
    "Owner": "bjhiggins@wpi.edu",
    "IPAM-Hostname": "rogues-roku.dyn.wpi.edu",
    "IPAM-AdminState": "OK",
    "IPAM-NAS-IP-Address": "",
    "IPAM-NAS-Port-ID": "",
    "IPAM-RADIUS-VLAN": "",
    "IPAM-TimeStamp": "2017-07-19 00:00:01 EDT",
    "Guest Role ID": "",
    "MAC-Auth Expiry": "",
    "Username": ""
    }
    }
    6) IPAM Triggers creation of Guest Device via POST /api/device?change_of_authorization=true with the following JSON:
    {
    "mac": "XXXXXXXXXXXX",
    "enabled": "1",
    "role_id": 12,
    "sponsor_name": "bjhiggins@wpi.edu",
    "visitor_name": "rogues-roku.dyn.wpi.edu",
    "airgroup_enable": "1",
    "airgroup_shared": "0",
    "airgroup_shared_user": "bjhiggins@wpi.edu",
    "airgroup_shared_role": "authenticated",
    "airgroup_shared_location": "default",
    }
    7) The moment the Guest Device is created, I have a WEBAUTH Service execute with a REJECT. The alert is "WebAuthService: User 'B0-EE-7B-97-7F-33' not present in [Guest Device Repository](localhost)".

    Step7.png

    8) After the 600 second session time out, the device connects properly using the WPI-Open MAC-AUTH-SERVICE.

     

     

    I've tried playing around with the API Explorer and using POST /api/device without the CoA flag, then using a PATCH /api/device/mac/XXXXXXXXXXXX with the CoA flag - with the assumption of let's create the Guest Device then CoA against it.  But I don't see the "WPI-Open DEVICE-REGISTRATION-COA-SERVICE" execute in the Access Tracker on the PATCH.

     



  • 4.  RE: CoA on EndPoint Change

    EMPLOYEE
    Posted Jul 20, 2017 05:59 PM

    In step 7, it should absolutely be finding the device in device repository. What is the expiration on the device? The GDR auth souce checks that the device account is enabled and hasn't expired.



  • 5.  RE: CoA on EndPoint Change

    Posted Jul 20, 2017 06:05 PM

    expire_time on the GDR is 0

    Capture.PNG



  • 6.  RE: CoA on EndPoint Change
    Best Answer

    EMPLOYEE
    Posted Jul 20, 2017 08:02 PM

    Please open a TAC case. The device should definitely be found in the GDR for the WebAuth service.



  • 7.  RE: CoA on EndPoint Change

    Posted Jul 20, 2017 11:58 PM

    Thank you Tim!  I've opened a TAC Case and will report back with findings.