Security

Hey,

 

I have been spending a lot of time on the forums lately and have seen a lot of talk about the use of Endpoint attributes for Enforcement evaluation. This is something that I am familar with and I am using it currently.

 

When I look at the list of attributes that are available by default there is a large list which contains things like: OS Version, OS Type, Device Type, Device Vendor, etc.

  

 

In the upper rigth corner of the screenshot above there is some information about the device. To my knowledge you cannot use this information to evaluate the device with the exception of the 'MAC Vendor' as it is an item that shows up in the devices request (according to the Access Tracker).

 

My question, I think, mainly refers to the attributes in the bottom left of the screenshot above. These attributes mainly seem to get populated only when you Onboard a device. For instance, I Onbarded a Windows 7 laptop and the attribute 'Device Type' appeared with 'Windows 7 Service Pack 1'. I have not seen many other attributes populated automatically though. 'OS Version' and 'OS Type' I don't think I have ever seen populated. So I was wondering what process, or what feature, has to happen/be enabled in order to populate these attributes. Ideally it would be nice to see them populated automatically. Currently we are doing a lot of the populating manually.

 

We do have DHCP finger printing working.

I was thinking that perhaps some of the information could come from the Audit Servers - NMAP? Since NMAP has the capability to detect OS.

 

If someone could help shed some light on this I would greatly appreciate it.

 

Cheers

Whatever attribute you add manually to an Endpoint in the Endpoint Database can be used in role mapping later to make a decision.  Below I add a Colins-Favorite-Color attribute and make it green in a station's properties in the Endpoint Database:

 

I can then use a role mapping condition referencing that endpoint attribute in my service.  Any custom attribute I add, becomes a dropdown that is usable when I create a role mapping that begins with "Endpoint".

 

 

@cjoseph

Thank you for your response.

I was aware that we could add custom attributes and that we can then use them later to do role mapping and other things. This is definitely a great option to have.

 

I was more curious about the attributes that already exist by default. Since they exist in the CPPM by default there is intent for them to be used, I am just not sure if the intent was to have them populated manually (an admin adds a value) or for them to be populated by some other means.

 

Cheers

The upper right attributes like MAC Vendor Can be used in Role Attributes, as well, using Authorization:Endpoints Repository.  I hope that is what you mean...

 

1.  The custom attributes in the dropdown that you have seen, probably have been added as a result of Onboarding adding a custom attribute to at lest one endpoint

2.  The Attributes in the Upper right Can also be used in Role Attributes

3.  You can also use IF-MAP to port the HTTP User Agent Strings and mDns Broadcast info from the controller into ClearPass (more than just DHCP fingerprinting):

 

6.3 release notes:

 

 

 

 

 

The attributes at the top right are generated from the profiling process
which includes MAC OUI, DHCP fingerprinting and http header analysis.

Generally when the "profiled" status is yes, those attributes should be
there.

---

@bourne wrote:

@cjoseph

Thank you for your response.

I was aware that we could add custom attributes and that we can then use them later to do role mapping and other things. This is definitely a great option to have.

 

I was more curious about the attributes that already exist by default. Since they exist in the CPPM by default there is intent for them to be used, I am just not sure if the intent was to have them populated manually (an admin adds a value) or for them to be populated by some other means.

 

Cheers

---

Bourne,

 

Just to show you what can be done when you turn on IF-MAP on the controller:  I attached one iPad to the controller before turning on Ifmap, then I turned on IF-Map and attached another:

 

One is just classified as an IOS device:

 

The second is actually classified as an iPad:

 

 

IfMAP will send more granular information about your devices from your controller to CPPM, without onboarding for devices that share the same DHCP fingerprint like an iPad and an iPhone.

 

It will also pass on user-agent information, all without onboarding.

 

 

 

Hey guys,

 

Thanks a ton for the responses! The 'IF-MAP' feature was something that I was totally unaware of. It looks like it offers a more pin point finger print of what the device really is. Sounds like a great feature that I am definitely going to investigate and enable.

 

I just wanted to clarify on what I was trying to ask as I don't necessarily think I did such a good job on it.

 

Currently we use a custom attribute that is added to company owned Windows laptops. We do this to identify which devices have full access to our production network. Then in one of our Enforcement Profiles we use it to evaluate the user request. In order for a user to be allowed onto the wireless the request must come from a device which has this custom attribute (among other things).

 

When I look at the Event Viewer log I can see this attribute appear under the 'Computed Attributes' 

 

If I look at the rest of the 'Computed Attributes' I do not see any of the other attributes/parameters generated by DHCP FP that are available in the Endpoint Profile of the device itself. Below is a screenshot of the Endpoint Profile for the device which is being used to make an authentication request.

 

We do not Onboard these devices. We use EAP-PEAP to authenticate them.

 

If I look at the values that are available from the drop down list for 'Attributes' 

I have marked the attributes that were added by us. Everything else in this list was already there. I believe this appears in the CPPM by default. These attributes are available to be evaluated in either your Role Mapping rules or in Enforment Policies.

 

Here is a shot from just an example Role Mapping rule

 

Okay so hopefully I am not completely making this confusing up until this point. I thin I am having a hard time explaining what's going through my head :(

 

We say that we can use the values that are computed via DHCP finger printing, HTTP analysis, etc. to evaluate requests. I have been under the impression that we can only use values that actually show in the client request (show in the Event Viewer). So if we go back the screenshot of the client request above, there is no value that tells me what the Operating System is for exmaple. But we have a parameter from DHCP FP which is 'OS Family' = 'Windows' in the Endpoint Profile.

 

And if we look at the Attributes in the drop down list the ones that would identify the OS for example might be 'OS Version' or 'OS Type'.

 

But in the values available from the DHCP finger printing there is no parameter called 'OS Type'. There is however 'OS Family'. So does 'OS Type' = 'OS Family'? 

 

But even if it did, I don't think I could evaulate it because it isn't a 'Computed Attribute' contained within the Client Request. Because technically in the Endpoint Profile for the device the attribute hasn't been defined.

 

It would seem that when the attribues are 'computed' only attributes that have been defined in the 'Attributes' section of the Endpoint Profile can be used to do evaluation. The one exception to this (at least to me at this point) is the 'MAC Vendor' which can be evaluated using 'Connection:Client-Mac-Vendor'.

 

So to refine my original question. I don't think I am fully following how we can use the parameters generated by the DHCP FP, HTTP analysis, etc to evaluate a client request (with the exception of the 'MAC Vendor'). Aruba provides us a list in the drop down menu of the values that we can evaluate, we can add custom values, which great. But values generated by DHCP FP do not seem to be available.

 

Sorry for the long winded explanation! As I started to read your responses and go over my original question I started realizing maybe I didn't ask it correctly.

I don't think I did a much better job either, but hopefully I helped a little. There is probably something I am not getting!

 

Thanks again!

 

Cheers

Do you have the [Endpoint Repository] [Local SQL DB] as an additional authorization souce in your service policy? You can only make policy decisions from computed attributes that are available from authentication and authorization sources in the service.

 

 

 

Bourne,

 

The Endpoint user repository is a list of device attributes, by mac address.  You can turn on Machine Authentication on your domain machines, and CPPM will store a custom role of [MACHINE AUTHENTICATED] that you can always use to evaluate along with user authentication to validate a machine.  For devices that are non-domain, you can simply add an attribute manually to the device's entry in the endpoint repository and combine that with user authentication for elevated privileges, or onboard those devices that have not machine authenticated.

 

Endpoint attributes are normally collected after the device does DHCP (fingerprinting) or after the device opens an http conversation (user agent).  Both attributes can ONLY be collected after initial authentication, so you cannot collect them realtime during authentication to make a decision; it is stored information from a previous connection.

 

To be truly secure you can deploy EAP-TLS using autoenrollment through a combination of group policy and onboarding for non-domain devices.  The only thing you would be checking is the validity of the certificate and you can also check the status of the computer or user account that would be attached to that certificate.  

 

Long story short, don't put yourself through the trouble of checking tons of attributes when maybe EAP-TLS and/or machine authentication would be the simpler solution.

 

 

 

@cappalli

 

I confirmed that I do NOT have [Endpoint Repository] [Local SQL DB] in the Authorization list!

As soon as you mentioned it you sparked a bunch of thoughts in my head. This could definitely explain

a few things. I unfortunately am no longer at work and will have to wait until tomorrow to do a test. I will get testint first thing in the morning. If this is the thing that I am missing then I feel like a complete moron because it is very obvious having seen it!

 

Thank you sir.

 

@cjoseph

 

I 100% agree that perhaps the role [MACHINE AUTHENTICATED] is better to use.

At the time we initally developed our rules doing machine authentication was not possible. We do not have AD and were having problems getting machines to authenticate against our OpenLDAP. Eventually we discovered what we were doing wrong, but this was much later after we built the rules.

 

I follow you with regards to the attributes and when they are collected! And I have see it first hand as well through testing.

 

I would agree that EAP-TLS is the better way to go. We have been avoiding Onboarding company owned laptops because we do not want to consume an Onboard license. But we still wanted to maintain some control over what devices were able to connect.

 

That being said it might be a good time to re-evaluate how we are authorizing company owned laptops/computers and see if there is a better more straight forward way of doing it.

 

I definitely appreciate your feedback! Thank you!

 

 

Cheers

Okay I finally figured out where I was going wrong!

@cappalli

Your suggestion did work. I was just an idiot and missed it.

The values that get added show up under the 'Authorization Attributes'. I was stubborn and kept looking under 'Computed Attributes'. I wasn't paying attention to what was really going on which is 100% my fault.

 

Now, the other thing is that this whole time while trying to create rules using the values generated by DHCP FP I have been trying to use 'Type' = 'Endpoint'.

When I should have been using 'Type' = 'Authorization:[Endpoints Repository]'

 

Now I see all the values like 'OS Family', 'Category', 'Device Name', etc

 

I don't know how I have missed this option for so long! It never dawned on me to check to see if this was even available. I was just being stubborn I guess.

 

Thanks for everyones help!

--------------------------------------------------------------------------------------------------------------------

I added the [Endpoints Repository] [Local SQL DB] to the 'Authorization' sources.

No change in the information available in the user request.

 

Only values that are defined in the 'Attributes' section of the Endpoint Profile are available to be used to evaluate user requests.

 

Thanks again for the help,

 

Cheers

We found "Endpoint missing in db".

 

Went to Configuration » Identity » Endpoints, to add the mac... but the endpoints are showing No under Profiled... Need to change it to Yes? ____ How to change it to Yes? ____

 

What is the most simplest way of adding an endpoint in db?

Sounds simple, right? ____ 

 

Haiz... I tried to google and find but to no avail...

Pls share if you have useful links...

msaw,

 

What exactly are you trying to do?

 

I want to add 3 devices in the endpoint database.
But I could not find the procedure...

Do you mean manually or automatically?  What are you having problems with?

 

I wanted to add 3 windows devices into the endpoint database... I was trying to find the procedure from the user guide in 6.5. I'm ok with either manual or automatic endpoint device adding, as long as the device is added in the database...

Msaw,

 

Under Identity> Endpoints Database, there is an add button if you want to add devices manually. 

 

If look in the online help for the chapter, "ClearPass Policy Manager Profile" you will see the methods to add endpoints automatically.

Msaw,

 

Under Identity> Endpoints Database, there is an add button if you want to add devices manually. 

 

If you go to https://<ipaddressofcppm>/tipshelp/html/en/index.htm#CPPM_UserGuide/PolicyProfile/ProfileOverview.html%3FTocPath%3DClearPass%20Manager%20Policy%20Profile%7C_____0    you will see the methods to automatically profile and add devices to the endpoints database.

DHCP fingerprinting on the Clearpass was working after adding the "DHCP helper IP" on the network devices...

Cheers!

@cjoseph

 

I was looking into the IF-MAP feature.

I found this PDF which stats that we need AOS 6.3.

Our Controller is still on 6.1.3

 

IF-MAP will not be available to us to  toggle on and off?

 

I have been looking through the AOS Command Line Interface Reference Guide and haven't been able to find any reference to IF-MAP.

Correct.. the option simply is not there yet. No button to push :)

Darn...

 

Wish there was a commandline option for it! I would really like to test it out.

There's not alot to it...

From the 6.3 cli manual:

 

ifmap cppm
 enable
 no
 server host <host>
 port <port>
 username<username>
 passwd <password>

 

Parameter Description Default
enable Enables the IFMAP protocol. —
server Configures the CPPM IF-MAP server. —
host <host> IP address/hostname of the CPPM IF-MAP server. —
port <port> Port number for the CPPM IF-MAP server. The range is 1-65535. 443
username<username> Username for the user who performs actions on the CPPM IFMAP server. The name must be between 1-255 bytes in length. —

passwd <password> Password of the user who performs actions on the CPPM IFMAP server. The password must be between 6-100 bytes in length. —

When we configured it, we made a local CPPM admin user account for each
controller with the API admin role.

That's great.

Does seem pretty straight forward.

Thanks @koenv

 

I wasn't able to locate the CLI reference guides for 6.3 on the Aruba support site. I did a Google search though and was able to track it down.

 

How are you guys already running 6.3? Is it some sort of early release access?

 

Is the 'API Admin Role' the role that has the necessary permissions to process the IFMAP information?

You can access 6.3 on the support site under Early Deployment.

 

 

 

The API Administrator role definitely has "enough" access rights for the IF-MAP information. It may actually have more permission than it needs. We're waiting for confirmation on what access it truly needs so we can create a role with access to only what it needs.

That's awesome! I have to talk with the rest of my team and see if it is something we want to try out.

What is the risk of going with an early deployment release? Is it recommend for production environments? Or lab only?

 

That sounds like a great idea! Create a user that has just enough.

When you receive that information would you be able to pass it along?

All,

 

I'm sure it's obvious and I'm just missing it, but how do you enable IF-MAP in Clearpass? I set it up in 6.3 with an API user but am currently getting the following from the CLI:

 

(Test-Controller-6.3) #show ifmap state cppm

CPPM IF-MAP Connection State [Interface: Enabled]
-------------------------------------------------
Server State
------ -----
MYSERVER.DOMAIN.LOCAL:443 DOWN

 

Thanks!

 

-Mike

Try switching to the IP. I started off with hostname and got the same results. Switched to using the IP of the CPPm and everything started working.

Today It only works with the admin username and password

@cappalli

 

How were you able to get a user to perform IF-MAP with the API rights? Did you set the admin to API-only rights?

 

Thanks!

 

-Mike

Bourne and Troy,

 

Thanks for the help! Here's what it now looks like with the admin password and the IP:

 

Test-Controller) #show ifmap state cppm

CPPM IF-MAP Connection State [Interface: Enabled]
-------------------------------------------------
Server State
------ -----
10.10.102.253:443 UP

(Test-Controller) #

 

Thanks!

 

-Mike

Troy,

 

How can we verify that ClearPass is updating attributes from the IF-MAP information? Is it logged?

 

Thanks

@cappalli

 

I tested this by first looking at a device that had been profiled with IF-MAP off.

I then deleted it from the Endpoints DD, enabled IF-MAP, and allowed it to be profiled again.

 

I then compared the two profiles together and I noticed the difference.

 

This is the only way that I know to do it and I think it was @cjoseph who explained this. His post is on the first page of this post.

 

Not sure if there is a better way. Maybe there might be a log inside the controller that would reveal this?

 

No problem @boston1630 glad to help.

 

Cheers

Turn on debugging in the system for the mapc process, then parse the system log for mapc:

 

config t
logging level debugging system process mapc
show log system all | include mapc

Sep 11 08:26:08 :309056:  <DBUG> |mapc|  exec(req46@MAPC-2<49156>): Publishing mDNS info for mac:4c:e6:76:fd:7b:d7
Sep 11 08:26:08 :309056:  <DBUG> |mapc|  exec(req47@MAPC-3<65541>): Publishing mDNS info for mac:4c:e6:76:fd:7b:d7
Sep 11 08:26:08 :309048:  <DBUG> |mapc|  Successfully Publish Request(req46) to IF-MAP server https://192.168.1.32:443/ifmap using Conn:0-4
Sep 11 08:26:08 :309048:  <DBUG> |mapc|  Successfully Publish Request(req47) to IF-MAP server https://192.168.1.32:443/ifmap using Conn:1-4
Sep 11 08:26:11 :309054:  <DBUG> |mapc|  exec(req48@MAPC-1<32771>): Publishing user agent string for wireless-MAC/IP=d0:e7:82:7b:65:ca/192.168.1.125 UA-Str="Mozilla/5.0 (CrKey armv7l 1.1...."
Sep 11 08:26:11 :309048:  <DBUG> |mapc|  Successfully Publish Request(req48) to IF-MAP server https://192.168.1.32:443/ifmap using Conn:2-4
Sep 11 08:26:11 :309054:  <DBUG> |mapc|  exec(req49@MAPC-1<32771>): Publishing user agent string for wireless-MAC/IP=b0:ee:45:49:6f:b6/192.168.1.124 UA-Str="Mozilla/5.0 (CrKey armv7l 1.1...."
Sep 11 08:26:11 :309048:  <DBUG> |mapc|  Successfully Publish Request(req49) to IF-MAP server https://192.168.1.32:443/ifmap using Conn:0-4
Sep 11 08:26:12 :309054:  <DBUG> |mapc|  exec(req50@MAPC-3<65541>): Publishing user agent string for wireless-MAC/IP=00:23:6c:90:05:11/192.168.1.67 UA-Str="Mozilla/5.0 (Macintosh; Intel ..."
Sep 11 08:26:12 :309048:  <DBUG> |mapc|  Successfully Publish Request(req50) to IF-MAP server https://192.168.1.32:443/ifmap using Conn:1-4
Sep 11 08:26:24 :309056:  <DBUG> |mapc|  exec(req51@MAPC-1<32771>): Publishing mDNS info for mac:4c:e6:76:fd:7b:d7
Sep 11 08:26:24 :309056:  <DBUG> |mapc|  exec(req52@MAPC-2<49156>): Publishing mDNS info for mac:4c:e6:76:fd:7b:d7
Sep 11 08:26:24 :309048:  <DBUG> |mapc|  Successfully Publish Request(req51) to IF-MAP server https://192.168.1.32:443/ifmap using Conn:2-4
Sep 11 08:26:24 :309048:  <DBUG> |mapc|  Successfully Publish Request(req52) to IF-MAP server https://192.168.1.32:443/ifmap using Conn:0-4
Sep 11 08:26:53 :309056:  <DBUG> |mapc|  exec(req53@MAPC-3<65541>): Publishing mDNS info for mac:00:23:6c:90:05:11
Sep 11 08:26:53 :309048:  <DBUG> |mapc|  Successfully Publish Request(req53) to IF-MAP server https://192.168.1.32:443/ifmap using Conn:1-4

 

 

When defining the IF-MAP server to use on the controller, you have to specify a port number. Our clearpass servers redirect http to https so am I supposed to just specify 443? I only ask because I tried that but running the show ifmap cppm command only gave me

 

(aruba0) (config) #show ifmap cppm

CPPM IF-MAP Profile
-------------------
Parameter              Value
---------              -----
CPPM IF-MAP Interface  Enabled
CPPM IF-MAP Server     144.32.128.68:443 imfadmin/********

 

user imfadmin is set up on the clearpass server as an API Admin account. Our controllers are runnnig 6.3.<something>

 

Rgds

Alex

 

You have it configured the right way.

 

Port 443

 

You can run the following to confirm is working

(MASTER-CONTROLLER) #show ifmap state cppm

CPPM IF-MAP Connection State [Interface: Enabled]
-------------------------------------------------
Server State
------ -----
192.168.1.102:443 UP

yes, port 443

May have configured it properly,but what I get is

 

(aruba0) #show ifmap state cppm

CPPM IF-MAP Connection State [Interface: Enabled]
-------------------------------------------------
Server             State
------             -----
144.32.128.68:443  DOWN

 

and I know the server ain't down coz I'm logged into it and its authenticating people.

 

What happens if the controller is talking to 443 and can't verify the clearpass cert?

A

 

Thats probably because the username/password is failing 

Use your admin / password 

 

Did you create the user in the admin user repository or local user repository?

 

Also, take a look higher in this thread for the debug commands.

o.k. changed the userid to be admin and not my created one and i now get a status of UP. Guess my permissions of API admin weren't enough

 

Rgds

A