Security

Reply
Contributor I

Employee Device self registration (MACtrack) and deactivation

Hi,

 

If I understand the MACtrack functionality correct, it provides the option of a device self registration by employees.

This is what we have working in the lab. Registered devices would to MAC-AUTH. Employees are authenticated against AD. When employees register devices, the sponsor_name is shown as the employee AD account.

 

Now the question came up what happens when the employee leaves the company.

How can we prevent the employee to connect via MAC-AUTH after he left.

 

One idea is to validate (authorize) the sponsor_name attribute in the Guest Device Repository against the AD when we do MAC-AUTH for a device.

The problem is that the sponsor_name attribute is not shown in Access Tracker. Only the sponsor_profile_name.

 

Is above a good idea at all? Or has this been solved already?

 

Thanks,

Christian

 

Re: Employee Device self registration (MACtrack) and deactivation

Try this make a copy of your AD source and change the query to this and use that as an authorization to the Mac auth service ,  add the userAccountControl as an attribute and you can use that as part of your enforcement policy to allow the user access 

https://support.microsoft.com/en-us/kb/305144 

 

2016-04-22 21_01_46-ClearPass Policy Manager - Aruba Networks.png

 

 

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Contributor I

Re: Employee Device self registration (MACtrack) and deactivation

I am afraid that doesn´t work.

 

If I understand this correct, CPPM would query AD for the values of the GuestUser:sponsor_profile_name attribute. This is in our case the Guest Operator Profile (Device Registration) which is not known to AD. The GuestUser:sponsor_profile_name appears in Access Tracker.

 

I think the query should get values for GuestUser:sponsor_name. But that attribute does not show in Access Tracker.

To me it seems this attribute is set in Guest (there s a field sponsor_name) but somehow not available in CPPM.

I would expect to see this in Access Tracker right beside the GuestUser:sponsor_profile_name attribute.

 

I added sponsor_name under GuestUser Entity as attribute without success. Access Tracker is just not showing that attribute.

 

Thanks,

Christian

 

Guru Elite

Re: Employee Device self registration (MACtrack) and deactivation

Yes, you would use sponsor_name. Try using it from Guest User Repository as an authorization source.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I

Re: Employee Device self registration (MACtrack) and deactivation

No luck.

 

As a test I set the role mapping to check if GuestUser:sponsor_name is the value I see in Guest as sponsor for the device. Without any AD involvement.

 

That mapping fails then. And the GuestUser:sponsor_name attribute is not shown in Access Tracker.

GuestUser:sponsor_profile_name is there.

 

I think this is the source problem.

Without GuestUser:sponsor_profile I can´t verify the AD account. This is the only link between the device MAC and the user who created it.

 

If GuestUser:sponsor_profile should be there I guess it is time for opening a TAC case?

 

Thanks,

Christian

 

 

Re: Employee Device self registration (MACtrack) and deactivation

Are you looking under input> computed attributes ?

Sent from Outlook for iPhone
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Guru Elite

Re: Employee Device self registration (MACtrack) and deactivation

Do you have the guest user repository as an authorization source in your service?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I

Re: Employee Device self registration (MACtrack) and deactivation

Yes, I have the guest user repository as authorization source. I see other GuestUser attributes (like Role ID, sponsor_profile_name, Visitor Name,...) in computed attributes which I assume come out of that repository as well.

The service is a modified mac caching from a guest self register setup with mac caching.

It works for MACtrack created devices in Guest.

 

And yes, I am looking under input -> computed attributes.

GuestUser:sponsor_name is just not there.

 

This is clearpass 6.5.5 btw.

 

Thanks,

Christian

Guru Elite

Re: Employee Device self registration (MACtrack) and deactivation

Give me til tomorrow to set this up in my lab.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I

Re: Employee Device self registration (MACtrack) and deactivation

Thank you very much!

 

Let me know if I should provide more info.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: