Security

Hi everyone,

I saw a somewhat similar post on this subject from 2012, but my scenario is a bit different.

I work for a school district.  Using a *single* SSID, this is what I would like to accomplish.  Some of it already works; I'll explain below.

1) Allow staff and students to authenticate on a mobile device.  Staff have full access to the internal network and internet; students have internet only plus certain internal resources.

2) Allow machines (both Windows and MacOS) to authenticate via machine authentication.

3) Allow district-supplied mobile devices (mainly iPads and Chromebooks) that are shared among multiple students to authenticate via certificate instead of being tied to a specific username and password, or using a WPA2-PSK network (not secure if the password gets out, which it already has).

Our current setup is:

• Aruba 3200, 3400, or 3600 controllers at each school site (depending on school size)
• Aruba 3600 master controller at District Office
• Microsoft NPS running on Server 2008 Enterprise
• ClearPass evaluation, which we will be buying soon

Curently, #1 and #2 above work...mostly.  Staff and Students belong to different AD groups, and when a user authenticates on their mobile device (as in #1), NPS passes a "Class" attribute back to the Aruba controller, which places the user into either a Student or Staff role.  Windows workstations are joined to our AD domain and authenticate automatically via machine authentication as soon as they boot (Windows XP requires some registry tweaking, but 7 and 8 work with just a couple of setting changes).  MacOS machines running Mountain Lion or Mavericks can join our AD domain and then use a Mobileconfig profile that contains the RADIUS server certificate and wireless settings to authenticate, download the AD certificate, and connect to the network.  I said "mostly" above because earlier MacOS revisions, while they can join an AD domain, are not able to use the Mobileconfig profile.

#3 is what I am currently experimenting with using ClearPass.  Right now, it works if I use a separate SSID for the device to connect after completing the onboarding process.  I would like to use the same SSID, but right now, it doesn't work.  I think I know why, but I don't know how to fix it.  I believe the problem is that when I connect to the same SSID, the device is still then trying to authenticate to my Microsoft NPS server instead of to ClearPass.  So the question is, how can I get my controller configuration to know whether the device trying to authenticate is requesting certificate or user authentication, and then direct them to the proper RADIUS server (NPS or ClearPass)?  And then would directing certificate-based authentication requests to ClearPass instead of NPS affect my Windows machines using machine authentication?  (I know it would probably affect the Macs, but I could use ClearPass to enroll the Macs just like enrolling an iOS or Android device.  That could also help the Macs running Lion or earlier.)

Thanks!

One question and one potential solution :)

Why not just ClearPass for both TLS and PEAP? Is it just because you are doing an eval and integrating into the existing environment?

You could point the controller to ClearPass and have it make decision based on the EAP outer type. If it matches EAP-TLS, it can handle it locally. Everything else can be sent to a RADIUS proxy (NPS in this case).

Hi Tim,

Basically, yes, that's the reason. :)  ClearPass is an eval, and I'm integrating into the existing NPS environment.

Since I'm something of a ClearPass newbie, any chance you could point me to where I'd make that configuration change you're talking about?  Also, would the limited number of licenses on the ClearPass eval cause a potential problem with the number of devices trying to authenticate through the proxy to NPS?

Thanks!

-- Bryce

I'm not 100% sure about the license question. We'll have to leave that one for someone else :)

Here are some samples. For testing purposes, you can leave the default enforcement policy of "Sample Allow Access Policy" until you start building role mapping from AD groups or LDAP attributes.

I created two services. One that checks for EAP-TLS and one that says anything else.

FIRST SERVICE (EAP-TLS)

SECOND SERVICE (ELSE)

That part works, thanks!  I created a test SSID and applied the services you showed me to it, and I can connect.  However, as you said, I don't have any role mapping yet, so I'm just in the "authenticated" role instead of landing in my StaffAccess or StudentAccess role.  What would be the next step to get that working?  (Sorry, as I said, ClearPass neophyte here. :)  )

Thanks!

This configuration is going to start getting a bit complicated if you are trying to return roles based on NPS and ClearPass. Are you working with your Aruba SE? 

My SE is coming out tomorrow, but we have a few things to work on, and I was hoping to get a jump start on this one. :)  But you've helped me out a great deal just getting done what we've done so far.  Thanks!

OK great. It would be a lot of confusing screenshots if I were to explain it here :)

Good luck!

Yeah, could get dicey. :)

Running into a small snag in case you or anyone else here has any ideas.  I created the "TLS" and "non-TLS" and am attempting to onboard a Mac Mini running OS X 10.9 (Mavericks).  The onboard process works fine.  But when when I try to reconnect to the SSID, for some reason, it's falling through to the non-TLS service.

This is what I saw in the Access Tracker.  My TLS service is above the non-TLS service.

I can't seem to paste the screen shot in, so I'm including it as an attachment.

Hi all,

Thanks for all of the help!  My SE was here on Friday and we got it working, though using a different approach.

Instead of multiple services, he had me set up a single service and use Role Mapping and Enforcement to control who gets what access depending on the authentication type.  We also got it working where we don't have to use NPS (although I'm not putting that into production quite yet).

-- Bryce