Security

Reply

How-To: Advanced MACTrac designs in ClearPass November-MHC

I’ve found that the MACTrac implementation in ClearPass is a big hit with Enterprises and Campuses that want to allow employees / staff / students to self-register their own devices. A standard, vanilla design allows non-admin users the “Device Registration” role in ClearPass Guest. From here, they have the ability to add MAC Authenticated devices and Airgroup-enabled devices. The one thing that this design doesn’t take into account is the scenario where you’d like to provide different wireless user roles depending on the type of person that registered their devices. This How-To will explain how to pull that off.

 

This design was implemented on an Aruba 7005 running 6.4.2.2 with an AP-225. The authentication backend was ClearPass 6.4.2 with a Windows 2012 AD server.

 

1. Create new ClearPass Guest User Roles

 

i. Log into ClearPass Guest

ii. Go to Administration > Operator Logins > Profiles

iii. Click on "Device Registration" and click the "Duplicate"

 

Screen Shot 2014-11-17 at 4.36.59 PM.png

 

iv. Click the new "Copy of Device Registration" and rename it "Student Device Registration"

v. Repeat step 1.iii and rename it to "Staff Device Registration"

vi. You should now have to roles that look like the following screen capture:

 

Screen Shot 2014-11-14 at 10.02.54 PM.png

vii. Next, go to Administration > Operator Logins > Translation Rules > "Create new translation rule"

    1. Name = Clearpass Student Device Registration Operator Login

    2. Attribute Name = admin_privileges

    3. Matching Rule = equals

    4. Value = [Student Device Registration]

    5. On Match = "Assign fixed operator profile"

    6. Operator Profile = "Student Device Registration"

 

This will look like the following screenshots:Screen Shot 2014-11-14 at 10.05.04 PM.png

 

Screen Shot 2014-11-14 at 10.03.51 PM.png

 

viii. Repeat Step 1.vii for the Staff role as well. The Translation Rules will look like the following screenshot when you are finished:

 

Screen Shot 2014-11-17 at 3.26.25 PM.png

 

2. Creating new ClearPass Roles for Student and Staff

 

i. Go to ClearPass Policy Manager 

ii. Go to Configuration > Identity > Roles 

iii. Click "+Add" and add a role for Staff and Students

 

The following screenshot is example of what this looked like in my lab:

 

Screen Shot 2014-11-17 at 3.38.23 PM.png

 

3. Enabling ClearPass Guest for differentiated user access

 

The next thing that we have to do is allow students and staff to log into ClearPass Guest to create their own devices. These upcoming steps will put together the enforcement policies, profiles, and the Guest service to make that happen.

 

i. Go to ClearPass Policy Manager 

ii. Go to Configuration > Identity > Role Mapping 

iii. Click "+Add" in the top right-hand corner

iv. Click "Mapping Rules" > "Add Rule"

    1. Type = Authorization:Windows-2012

    2. Name = Groups

    3. Operator = Equals

    4. Value = Students

    5. Actions > Role Name = Students

 

This above is again setup in my lab. Your Windows / LDAP environment will have different values. Here's a screenshot of the above after creating a user role for admins, staff and students:

 

Screen Shot 2014-11-17 at 4.26.48 PM.png

 

v. Go to Configuration > Enforcement > Enforcement Profiles >  

vi. Click "+Add" in the top right-hand corner

vii. Template = Generic Application Enforcement

viii. Click "Attributes" > "Click to Add"

    1. Attribute Name = "admin_privileges" (this must be typed in manually)

    2. Attribute Value = "[Student Device Registration]"

 

The following screenshot shows what this will look like:

 

Screen Shot 2014-11-17 at 4.34.08 PM.png

 

ix. Repeat steps 3.vi - 3.viii for the Staff Device Registration role as well. 

x. Next, go to Configuration > Enforcement > Enforcement Policies

xi. Do a search for "[Guest" and copy this Enforcement Policy. 

xii. Click on this Guest service and rename it.

xiii. Click on the Rules tab > "Add Rule"

    1. Type = Tips

    2. Name = Role

    3. Operator = Equals

    4. Value = Students

    5. Actions > Profile Names = Students (Defined in 3.viii)

 

Repeat step 3.xiii for the Staff role. This will look like the following screenshot:

 

Screen Shot 2014-11-17 at 5.11.06 PM.png

 

xiv. Next, go to Configuration > Services

 

By default, ClearPass Guest access is controlled by the "[Guest Operator Logins]" service. We are going to duplicate this service and make some minor changes for the MACTrac service.

 

xv. Click on the "[Guest Operator Logins" service and click the "Copy" button in the bottom right-hand corner. 

xvi. Click the "Reorder" button in the bottom right-hand corner and move the copied version right below the "[Guest Operator Logins]" service.

xvii. Click the green dot to the right of the "[Guest Operator Logins]" service to disable it.

xviii. Click the red dot to the right of the copied service to enable it.

xix. Click on the copied version of the Guest service and go to the Authentication tab.

xx. Select "--Select to Add--" and make sure your AD / LDAP server is an available source.

xxi. Click the Roles tab and select the Role Mapping policy that was created in step 3.iv

xxii. Click the Enforcement tab and select the Enforcement Policy that was created in step 3.xiii

 

At this point, an AD Staff and Student member should be able to log into the ClearPass Guest URL and receive a page that looks similar to the following:

 

Screen Shot 2014-11-17 at 5.16.08 PM.png

 

In the above screenshot, I've already added a MAC address to the MACTrac system by clicking on the "Create" icon to the right of "Quick Help"

 

4. Creating the new wireless MACTrac service and policies 

 

The next step is to setup the wireless services in Clearpass to pass different Aruba User Roles depending on the type of user, Student or Staff, that created the MACTrac device. 

 

i. Go to Policy Manager 

ii. Go to Configuration > Identity > Role Mapping 

iii. Click "+Add" int the top right-hand corner

iv. Click "Mapping Rules" > "Add Rule"

    1. Type = GuestUser

    2. Name = sponsor_profile_name 

    3. Operator = Equals

    4. Value = Student Device Registration

    5. Actions > Role Name = Students

v. Repeat Step 4.iv for a Staff role as well.

 

The above steps will look like the following screenshot:

 

Screen Shot 2014-11-17 at 6.20.08 PM.png

 

vi. Next, we're going to create some new Aruba User roles. Go to Configuration > Enforcement > Enforcement Profiles

vii. Click "+Add" in the top right-hand corner

viii. Select the default "Aruba RADIUS Enforcement" as the Template

ix. Give this Enforcement Profile a name. For instance, "MACTrac Student Profile"

x. Go to the Attributes tab and replace the red "Enter role here" with the name of the Student MACTrac role that you will create on the controller.

xi. Repeat steps 4.vii - x for the Staff Aruba Role as well.  

 

Next, we're going to create the Enforcement Policies

 

xii. Go to Configuration > Enforcement > Enforcement Policies

xiii. Click the "+Add" button in the top right-hand corner

xiv. Give the Enforcement Policy a name.

xv. Select a "RADIUS" Enforcement type

xvi. Select [Deny Access Profile] as the Default Profile

xvii. Click  "Rules" tab > "Add Rule"

    1. Type = Tips

    2. Name = Role

    3. Operator = Equals

    4. Value = Students 

    5. Actions > Profile Name = MACTrac Student Profile (as defined in 4.ix)

xviii. Repeat step 4.xvii for the Staff profile as well.

 

Your Enforcement Policy should look like the following screenshot:

 

Screen Shot 2014-11-17 at 6.38.02 PM.png

 

We're going to tie these two pieces together in a ClearPass MAC authentication service. In a production environment the following configuration would be added or edited into the configuration for the Guest MAC SSID that is performing MAC Caching. Here, in this example, this SSID is only being used for MACTrac and the purpose of this How-To. I would recommend backing up any ClearPass service that you may change before going forward.

 

xix. Go to your wireless MAC Authentication service and click the Authentication tab

xx. Under Authentication Sources, click the "--Select to Add--" and choose the "Guest Device Repository." This is where the MAC addresses are stored for MACTrac in Clearpass Guest.

xxi. Go the Roles tab and select the Role Mapping that we built in 4.iv.

xxii. Go to the Enforcement tab and select hte Enforcement Policy that was defined in 4.xviii.

 

Here are two screenshots of the summary page of my MACTrac MAC Authentication wireless service:

 

Screen Shot 2014-11-17 at 6.48.44 PM.png

 

Screen Shot 2014-11-17 at 6.48.52 PM.png

 

The pieces are all in place, now it's time to start testing the solution!

 

5. Troubleshooting Advanced MACTrac in ClearPass and on the Controller

 

I am going to assume that you will be able to create an Open SSID that has ClearPass as a MAC authentication source, and the user roles defined in Step 4.x within the Aruba Controller. I can definitely provide some guidance on that, if need be - just let me know.

 

I had two different users, a Staff and Student, log into ClearPass Guest and register a MAC address. We're going to see what their devices look like in Access Tracker when they log into the system.

 

Go to ClearPass Policy Manager > Live Monitoring > Access Tracker and click on the entries after a device has MAC authenticated. Here's an example of the staff device:

 

Screen Shot 2014-11-15 at 12.26.52 PM.png

As you can see, the MAC Authentication service was hit and it's authenticating against the "[Guest Device Repository]." The device is categorized with the Staff role, as expected.

 

Clicking on the Output tab shows that we're passing the correct Aruba User role:

 

Screen Shot 2014-11-15 at 12.27.00 PM.png

 

This is possible is by differentiation of the ClearPass Guest role as part of the authentication process. Clicking on the Input tab > Computed Attributes and scrolling down all the way to the bottom shows the "sponsor_profile_name" that we're using in Step 4.iv to differentiate a Student and Staff MACTrac authentication:

 

Screen Shot 2014-11-15 at 12.27.09 PM.png

 

Finally, looking at the CLI on the controller, we can see the Student and Staff Aruba Roles for each of the MAC authenticated devices: 

 

Screen Shot 2014-11-15 at 12.27.23 PM.png

 

I hope this How-To has been helpful in setting up an advanced usage for MACTrac in Clearpass. Let me know if there are any questions, comments, or improvements!

 

Thanks for taking the time to read this How-To!

 

-Mike

Frequent Contributor II

Re: How-To: Advanced MACTrac designs in ClearPass November-MHC

Great Post!,  I  am trying to combine the SSID with my captive portal SSID,  but am having a hard time getting the MACTrac users and the MAC Cached users on the same service.  Do you have any rule tips on how to combine the two?

Guru Elite

Re: How-To: Advanced MACTrac designs in ClearPass November-MHC

Make sure the guest device repository is above the endpoints repository in your service.

 

What specifically are you seeing when trying to merge them?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480

Re: How-To: Advanced MACTrac designs in ClearPass November-MHC

Hi Matt,

 

Tim's reply is spot on. Have you tried moving the authentication source above your existing entries? Let us know - thanks!

 

-Mike

Contributor II

Re: How-To: Advanced MACTrac designs in ClearPass November-MHC

When you have a staff who is also a student, then mac-trac logic breaks...see which mac trac page you land after operator login to confirm. 

Aruba

Re: How-To: Advanced MACTrac designs in ClearPass November-MHC

Not if you have a condition where it looks for both student and staff member and then apply them a separate tag.
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
MVP

Re: How-To: Advanced MACTrac designs in ClearPass November-MHC

Useful and thorough post - well done Mike!


Regards
John Solberg

-ACMX #316 :: ACCP-
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Contributor I

Re: How-To: Advanced MACTrac designs in ClearPass November-MHC

Mike,

 

Thank you for sharing this! I have been meaning to implement this on my PSK network for some time to split roles based on identity!

 

I have one architecture question: Say we also want the ability to have ITS regisiter a device for a certain user as well. Obviously this would change the "sponsor_profile_name" and thus the role that was assigned.

 

Where should I alter the design to accomodate this? It would probably be easiet to still have ITS register devices into the Guest Endpoint Repository on behalf of the user, but how can we change that "sponsor_profile_name" to make it so they get classified properly?

 

Thanks for this amazing guide!

 

Aaron

Guru Elite

Re: How-To: Advanced MACTrac designs in ClearPass November-MHC

Duplicate the registration form and then make the sponsor field name visible. This allows you to registrer the device as another user. You can then assign this form to your IT role in CPG. If you need the sponsor profile name changed, just rename the duplicated form.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: