Security

Hi All,

Have a pretty standard, if that exists, setup where clients authenticates with ClearPass using their client certificates. When ClearPass determines that the condition "memberOf" EQUALS "domain computers" it will return an Aruba-User-Role of authenticated_employee to the controller.

Hope I got that right!?

Now, I'm about to add a few remote access points (RAPs) to this setup. The same clients (domain computers) will connect both through on-premise accesspoints and the new RAPs. I have prepared a separate role for the clients when they connect through a RAP, but I need to update ClearPass accordingly. My question is, what would be the best way to do this? Can I build on existing condition - add an exception? Should I change the attribute currently used (member Of - domain computers) and use something else? I'm interested in your suggestions and configurations used!

Cheers,

Fredrik

You can use the Radius:Aruba ap-group attribute to assign a role and then make a decision.  The ap-group is sent over as a radius attribute during authentication:

Many thanks for the quick response!

So, let's see if I have got this down pat ;) I will leave the current rules and policies created for certificate authorization in place. I would then add a new Role (e.g. Company-RAP) and a role mapping that verifies both certificate used. The rule would also check if the Aruba-AP-Group attribute is a match to RemoteAP, then assign the Company-RAP user role as defined in the controller? If a separate role is used how would I ensure that no conflict occurs as both would check authorization:activedir.company.com?

Or, can I add an either/or type of scenario to the existing rule used for certificate authentication (attached screenshot)? By arranging the rules in priority sequence and/or evaluation algorithm to first sort out RAP connections and return the proper user role (Company-RAP) to controller and for remaining authorized connections return the authenticated-employee user role?

Feel free to point me to a section in the documentation if this would require to much effort and space to sort out in the forum:)

Thanks again,

Fredrik

So the "Role Mapping" portion of the Service in CPPM is to "Tag" incoming authentications with as many CPPM roles as possible for later evaluation in the Enforcement Policy.   The Role Mappings in this section should have the "Evaluate-All" parameter set, so you can gather and tag as much info that you will need later in the enforcement policy.

In the enforcement policy, that is where you make sure that "First Applicable" is configured and then you look for roles or other attributes from the most specific to the most general.  For example:

You are looking for a certain set of Tags (cppm roles) to make a decision about an incoming authentication, and you want to send back a different Aruba-role to the controller depending on the combination.  You should create a Role in CPPM for each tag or attribute that you will need to make your decision.  You should then in the Role mappings test the incoming authentication for each of those situations and Tag them with the corresponding CPPM role (with Evaluate-all set so that you can tag everything applicable).  In the enforcement policy you would then choose the most specific situation (if Role=Employee and Role=Remote) and set an enforcement profile that sends back the Aruba User Role that you want the user to be in.  You would have a second enforcement policy that is not as specific, like if Role=Employee and choose an enforcement profile that sends back the Employee role.

I hope that makes sense...

P.S. Roles in CPPM and in the Aruba Controller are two separate things.

Thanks again for clarifying the process! It makes much more senes now, especially since you pointed out that roles in CPPM and controller are two separate things - I had got them mixed up!

One question remains for me. In the configuration I have inherited, it seems like the same condition is defined both in role mappings and under enforcement policy (see enforcementrule.jpg)!? If I understand you correctly, I should devise one condition to authorize (as per my previous screenshot), but make sure to "tag" and pass on sufficient information to the enforcement engine to make the correct call on which Aruba User Role to return to the controller (see new_mappingrule.jpg).

so if I'm right so far, rather than checking the same condition (twice?) how would I use the tags appended in the role mapping in my enforcement policy? Which rule type (under Policy) would I use to read the roles passed on from the role mapping process?

The rules in my enforcement policy would then reference Enforcement Profile, one for each role that I would like to return to the controller?

I'm working my way through the documentation as I write this, but if you have time for a few more hints and would be greatly appreciated!

Cheers

Fredrik

The enforcement PROFILE is what is used to send back an attribute at authentication.  You can send back a role, VLAN, etc  You use enforcement Policy to determine what attribute.  There are some things you can check in a role policy to set roles, and there are certain things you can only check in an enforcement policy.  The enforcement policy is the final rule checking where you can check roles AND other attributes and then send back the profile that sets the parameter.  What specifically are you checking for so we can formulate it?

Again, your help is most appreciated! Allright, makes sense and I think I'm starting to get a feel for the flow and how the process works. 

To try and articulate what I'm trying to achieve. Corporate clients authenticate the connection using certificates (Active Directory). The clients can connect either on-premise or through RAPs. I have created two different roles in the controller (corp-employee and corp-RAP) and would like CPPM to return different Aruba-roles depending on how the laptop connects.

The current configuration in CCPM works, but the rules are not created to take into account that clients might connect through RAPs and return corp-employee to the controller regardless of how the laptop connects. You can see parts of the configuration in the screenshot attached previously.

How would you advise me to realise this in CPPM policy?

Best regards,

Fredrik 

When you say that Corporate users use certificates, do they use client-side certificates (TLS) or just server-side certificates (PEAP)?

Is machine authentication configured?  If so there is an easier way to validate that the user has a corporate laptop http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Enforce-Machine-Authentication/m-p/58918/highlight/true#M4585

You can just add the check for the ap-group and you might be able to acheive what you want.

In the request details for current authentications I see that EAP-TLS is listed as authentication method. I issue machine certificates to all clients from the corp PKI and, these should be verified upon an attempt to authenticate. 

Could you tell me where to check for what (i.e. ap-group) and how to use the roles I assign in role mappings in accordance to your previous advice?

Best regards,

Fredrik 

Okay.  Create a Role in CPPM called corporate, and create a role called Remote.  In your role mappings, write a rule to tag users that pass EAP-TLS:

(Authentication:OuterMethod  EQUALS  EAP-TLS) and Radius:Aruba Aruba AP-Group equals Remote set role to Remote.

In your Enforcement policy,"Tips:role equals remote", set your enforcement policy to one that returns the Aruba rule that you want for your users...

Thanks again! I managed to set it up and got it working. 

You had me at Tips:role ;) That was the missing piece, I couldn't figure out how to match for the roles we appended in beginning of the process. 

Best regards,

Fredrik