Security

Reply
Occasional Contributor II

CoA on EndPoint Change

In our environment, we have:

  • ClearPass cluster
  • Aruba controllers
  • EfficientIP IPAM and Self-Registration

We are attempting to create an open wireless network where devices need to be registered in the IPAM before they get more than access to the captive portal.

 

One use case that we have not been able to solve is this:

  1. User connects a ROKU Streaming Stick to the Open network.  The stick doesn't work as it's not registered yet.
  2. User registers the device in the EfficientIP Self-Registration.
  3. EfficientIP sends two API calls to ClearPass.  The first sets certain attributes on the Endpoint for the ROKU (timestamp, username, etc).  The second creates a Guest Device for eventual AirGroup use.
  4. ROKU won't work until the session times out and ClearPass runs through it's steps again.  Based on the new Endpoint Attributes, ClearPass applies the "media-device" rule and all is well.

Ideally, we'd like to be able to trigger a CoA via an API call to ClearPass.  In investigating, we see that POST /api/device/ can trigger a CoA when you append "?change_of_authorization=true" to the URL.  However as we are creating and destroying rather than editing a Guest Device, we see the message "User 'B0-EE-7B-97-7F-33' not present in [Guest Device Repository](localhost)" in Access Tracker.  So no go there.

 

I had read somewhere - perhaps mistakenly - that PATCH /api/endpoint/mac-address can trigger a CoA with the similar "?change_of_authorization=true" appended.  Alas, this does not appear to work.

 

So I'm looking for some methodology so that I can trigger a CoA either in tandem with one of the above API calls (POST /api/device/ or PATCH /api/endpoint/mac-address/) - or a standalong API call.

I did try "https://<CPPM>/async_netd/cmdctrl/apply_coaprof_clntlist" which I found in this community - but it didn't work on CPPM 6.6.5

 

Any thoughts - as this is a headscratcher...

Benjamin J. Higgins (’97)
Worcester Polytechnic Institute
Guru Elite

Re: CoA on EndPoint Change

Ben,

 

When change_of_authorization = true is passed in the API call for a device creation, ClearPass will generate an internal WEBAUTH which can then be used to trigger the disconnect or CoA.

 

Here's an example of a service that's used to catch those events. The enforcement policy should have whichever disconnect or CoA enforcement are required for the network devices in use.

 

Screen Shot 2017-07-19 at 3.28.34 PM.png

 

Screen Shot 2017-07-19 at 3.28.42 PM.png

 

Also, just for your reference, the API calls for Disconnect and CoA are:

POST /session/{id}/disconnect

POST /session/{id}/reauthorize

Be sure to check API Explorer for the details about those two endpoints.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: CoA on EndPoint Change

1) All Endpoints, Guest Devices and IPAM entries are deleted ; Roku is factory defaulted.
2) Turn on Roku
3) Roku attempts to connect to open SSID.  Here's the configuration as the Access Tracker sees it.

Step2.png

4) Roku is registered in IPAM
5) IPAM Triggers update to Endpoint via PATCH /api/endpoint/mac-address/XXXXXXXXXXXX and the following JSON:
{
"status": "Known",
"attributes": {
"Owner": "bjhiggins@wpi.edu",
"IPAM-Hostname": "rogues-roku.dyn.wpi.edu",
"IPAM-AdminState": "OK",
"IPAM-NAS-IP-Address": "",
"IPAM-NAS-Port-ID": "",
"IPAM-RADIUS-VLAN": "",
"IPAM-TimeStamp": "2017-07-19 00:00:01 EDT",
"Guest Role ID": "",
"MAC-Auth Expiry": "",
"Username": ""
}
}
6) IPAM Triggers creation of Guest Device via POST /api/device?change_of_authorization=true with the following JSON:
{
"mac": "XXXXXXXXXXXX",
"enabled": "1",
"role_id": 12,
"sponsor_name": "bjhiggins@wpi.edu",
"visitor_name": "rogues-roku.dyn.wpi.edu",
"airgroup_enable": "1",
"airgroup_shared": "0",
"airgroup_shared_user": "bjhiggins@wpi.edu",
"airgroup_shared_role": "authenticated",
"airgroup_shared_location": "default",
}
7) The moment the Guest Device is created, I have a WEBAUTH Service execute with a REJECT. The alert is "WebAuthService: User 'B0-EE-7B-97-7F-33' not present in [Guest Device Repository](localhost)".

Step7.png

8) After the 600 second session time out, the device connects properly using the WPI-Open MAC-AUTH-SERVICE.

 

 

I've tried playing around with the API Explorer and using POST /api/device without the CoA flag, then using a PATCH /api/device/mac/XXXXXXXXXXXX with the CoA flag - with the assumption of let's create the Guest Device then CoA against it.  But I don't see the "WPI-Open DEVICE-REGISTRATION-COA-SERVICE" execute in the Access Tracker on the PATCH.

 

Benjamin J. Higgins (’97)
Worcester Polytechnic Institute
Guru Elite

Re: CoA on EndPoint Change

In step 7, it should absolutely be finding the device in device repository. What is the expiration on the device? The GDR auth souce checks that the device account is enabled and hasn't expired.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: CoA on EndPoint Change

expire_time on the GDR is 0

Capture.PNG

Benjamin J. Higgins (’97)
Worcester Polytechnic Institute
Guru Elite

Re: CoA on EndPoint Change

Please open a TAC case. The device should definitely be found in the GDR for the WebAuth service.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: CoA on EndPoint Change

Thank you Tim!  I've opened a TAC Case and will report back with findings.

Benjamin J. Higgins (’97)
Worcester Polytechnic Institute
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: