Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

IP based static host list usage

This thread has been viewed 0 times

  • 1.  IP based static host list usage

    Posted Jul 07, 2018 03:39 PM

    Hello,

     

    how can an IP address based SHL be used in a role mapping profile?

     

    We want to assign a role based on the client IP address of a VPN client where the the Radius:IETF:Tunnel-Client-Endpoint attribute matches an entry in the (IP based) SHL.

     

    This seems to work when using

    Radius:IETF:Calling-Station-ID

    as it allows to match on a SHL (belongs_to_group).

     

    But we don´t get that attribute from the VPN gateway.

    We only get Radius:IETF:Tunnel-Client-Endpoint

     

    Essentially, VPN clients behind specified NAT IPs that connect to VPN gateways should get a dedicated role assigned.

    Based on that role, enforcement should sent an attribute to the VPN gateway to treat those clients special.

     

    Is there a way to make Radius:IETF:Tunnel-Client-Endpoint also match on entries in a SHL?

     

    Thanks,

    Christian

     

     

     

     

     



  • 2.  RE: IP based static host list usage

    Posted Jul 25, 2018 04:23 AM

    Is Radius:IETF:Tunnel-Client-Endpoint in the Radius:IETF dictionary in ClearPass?

    If not, export the dictionary, modify the XML to include the attribute (number 66 I think) and re-import it.



  • 3.  RE: IP based static host list usage

    Posted Jul 25, 2018 04:47 AM

    Thanks for the reply.

     

    The attribute is in the dictionary already:

    <Attribute profile="in out" type="String" name="Tunnel-Client-Endpoint" id="66" extraData="has_tag"/>

     

    Problem is that in Role Mapping the operator doesn´t contain the "BELONGS_TO_GROUP" option.

     

    That operator option is there when Radius:IETF:Calling-Station-Id is matched instead of Radius:IETF:Tunnel-Client-Endpoint.

    But the Calling-Station-ID attribute isn´t sent from our VPN gateway (Pulse Connect Secure).

     

    Where is controlled which operator option is available for a Radius attribute?

     

    Thanks,

    Christian



  • 4.  RE: IP based static host list usage

    Posted Jul 25, 2018 05:23 AM

    Ah ok, this is because the RADIUS attribute 'Calling-Station-ID' has the type of Group and 'Tunnel-Client-Endpoint' has the type of String.

     

    You can only use the BELONGS_TO_GROUP operator on Group attributes.

     

    https://www.arubanetworks.com/techdocs/ClearPass/6.7/PolicyManager/index.htm#CPPM_UserGuide/Rules/Operators.htm#i1021251

     

    EDIT - I'm not sure whether you could amend the RADIUS IETF dictionary to make 'Tunnel-Client-Endpoint' a group attribute or even if this would work. Probably dangerous to play with the dictionary in this way?!?



  • 5.  RE: IP based static host list usage

    Posted Jul 25, 2018 06:41 AM

    Both attributes have type String in the dictionary.

    There is no type group at all.

    Seems that distinction is made somewhere else.

     

    I don´t plan to play around with the dictionary in that way.

    But I guess it is not time to reach out to our SE.

     

    Thanks,

    Christian