Security

Reply
Contributor I

IP based static host list usage

Hello,

 

how can an IP address based SHL be used in a role mapping profile?

 

We want to assign a role based on the client IP address of a VPN client where the the Radius:IETF:Tunnel-Client-Endpoint attribute matches an entry in the (IP based) SHL.

 

This seems to work when using

Radius:IETF:Calling-Station-ID

as it allows to match on a SHL (belongs_to_group).

 

But we don´t get that attribute from the VPN gateway.

We only get Radius:IETF:Tunnel-Client-Endpoint

 

Essentially, VPN clients behind specified NAT IPs that connect to VPN gateways should get a dedicated role assigned.

Based on that role, enforcement should sent an attribute to the VPN gateway to treat those clients special.

 

Is there a way to make Radius:IETF:Tunnel-Client-Endpoint also match on entries in a SHL?

 

Thanks,

Christian

 

 

 

 

 

Contributor I

Re: IP based static host list usage

Is Radius:IETF:Tunnel-Client-Endpoint in the Radius:IETF dictionary in ClearPass?

If not, export the dictionary, modify the XML to include the attribute (number 66 I think) and re-import it.

Contributor I

Re: IP based static host list usage

Thanks for the reply.

 

The attribute is in the dictionary already:

<Attribute profile="in out" type="String" name="Tunnel-Client-Endpoint" id="66" extraData="has_tag"/>

 

Problem is that in Role Mapping the operator doesn´t contain the "BELONGS_TO_GROUP" option.

 

That operator option is there when Radius:IETF:Calling-Station-Id is matched instead of Radius:IETF:Tunnel-Client-Endpoint.

But the Calling-Station-ID attribute isn´t sent from our VPN gateway (Pulse Connect Secure).

 

Where is controlled which operator option is available for a Radius attribute?

 

Thanks,

Christian

Contributor I

Re: IP based static host list usage

Ah ok, this is because the RADIUS attribute 'Calling-Station-ID' has the type of Group and 'Tunnel-Client-Endpoint' has the type of String.

 

You can only use the BELONGS_TO_GROUP operator on Group attributes.

 

https://www.arubanetworks.com/techdocs/ClearPass/6.7/PolicyManager/index.htm#CPPM_UserGuide/Rules/Operators.htm#i1021251

 

EDIT - I'm not sure whether you could amend the RADIUS IETF dictionary to make 'Tunnel-Client-Endpoint' a group attribute or even if this would work. Probably dangerous to play with the dictionary in this way?!?

Contributor I

Re: IP based static host list usage

Both attributes have type String in the dictionary.

There is no type group at all.

Seems that distinction is made somewhere else.

 

I don´t plan to play around with the dictionary in that way.

But I guess it is not time to reach out to our SE.

 

Thanks,

Christian

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: