Security

last person joined: 13 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Limiting automatic mac account creation?

This thread has been viewed 2 times

  • 1.  Limiting automatic mac account creation?

    MVP
    Posted Feb 27, 2012 12:56 PM

    I'm currently using AD to push different users in different roles. This I got working (yay)

    As a next step I'd like to limit the number of mac-addresses any 1 user can register.

     

    I use the following expression to accomplish that:

    return 
empty($user['mac_auth'])
&& NwaDynamicLoad('NwaCreateUser')
&& NwaDynamicLoad('NwaNormalizeMacAddress')
&& ($mac=NwaNormalizeMacAddress(GetAttr('Calling-Station-Id')))
&& ((!empty($user['id']) && NwaCreateUser(array(
'creator_accept_terms'=>1,
'mac'=>$mac,
'mac_auth'=>1,
'role_id'=>8,
'visitor_name'=>$user['username'],
'sponsor_name'=>$user['username'],
'mac_auth_pair'=>$user['id'],
'modify_expire_time'=>'12h',
'auto_update_account'=>1)))
|| (empty($user['id']) && NwaCreateUser(array(
'creator_accept_terms'=>1,
'role_id'=>8,
'mac'=>$mac,
'mac_auth'=>1,
'visitor_name'=>$user['displayname'],
'sponsor_name'=>$user['userprincipalname'],
'mac_auth_pair'=>$user['id'],
'modify_expire_time'=>'24h',
'do_expire'=>4,
'auto_update_account'=>1)))
)
&& 0;

     I'm setting the sponsoir_name to AD's userprinciplename to identify who actualy created the mac account.

     

    The amigopodTechNoteAutoMACAuthAccount.pdf doc then explains to add a bit to limit the number of mac-accounts can be created by a single user. So I chaged the above role to:

     

    return 
(
($MAX_MAC_ACCOUNTS = 1)
&& (NwaRadiusLocalServer()->GetUserCount(array(
'sponsor_name' => strtolower(GetAttr('User-Name')),
'delete_time' => 0,
'mac_auth' => 1)
) >= $MAX_MAC_ACCOUNTS)
? (AccessReject() && 0) : 1
)
&& empty($user['mac_auth'])
&& NwaDynamicLoad('NwaCreateUser')
&& NwaDynamicLoad('NwaNormalizeMacAddress')
&& ($mac=NwaNormalizeMacAddress(GetAttr('Calling-Station-Id')))
&& ((!empty($user['id']) && NwaCreateUser(array(
'creator_accept_terms'=>1,
'mac'=>$mac,
'mac_auth'=>1,
'role_id'=>8,
'visitor_name'=>$user['username'],
'sponsor_name'=>$user['username'],
'mac_auth_pair'=>$user['id'],
'modify_expire_time'=>'12h',
'auto_update_account'=>1)))
|| (empty($user['id']) && NwaCreateUser(array(
'creator_accept_terms'=>1,
'role_id'=>8,
'mac'=>$mac,
'mac_auth'=>1,
'visitor_name'=>$user['displayname'],
'sponsor_name'=>$user['userprincipalname'],
'mac_auth_pair'=>$user['id'],
'modify_expire_time'=>'24h',
'do_expire'=>4,
'auto_update_account'=>1)))
)
&& 0;

     

    The example in the doc used "'sponsor_name' => strtolower(GetAttr('User-Name')),"  which I honestly do not understand. Ok, it retrieves the user-name variable, changes it to lowercase .. but then what? Does this change the sponsor_name to this value? What does the => do?

    Since I'm using AD and already filling sponsor-name with the userprincipalname I'm guessing the above code won't work? Simply replacing User-Name with userprincipalname didn't do much either.

     

    My problem? The limit is simply ignored. Any ideas.

     

     



  • 2.  RE: Limiting automatic mac account creation?

    MVP
    Posted Feb 28, 2012 09:26 AM

    Guess I was trying to do it a bit harder then required.

    Below is the code that actualy works. You may want to replace "studnr" with "sponsor_name" (or add a field studnr) as studnr is a field I added since its more logical for my situation.

     

    Unfortunatally still is that the user has no idea why his logon is failing. A redirect to a simple explanation might be better. Probably possible to code this, but as I don't have a clue how...

     

    return 
(
($MAX_MAC_ACCOUNTS = 1)
&& (NwaRadiusLocalServer()->GetUserCount(array(
'studnr' => strtolower(GetAttr('User-Name')), 
'delete_time' => 0,
'mac_auth' => 1)
) >= $MAX_MAC_ACCOUNTS)
? (AccessReject() && 0) : 1)
&& empty($user['mac_auth'])
&& NwaDynamicLoad('NwaCreateUser')
&& NwaDynamicLoad('NwaNormalizeMacAddress')
&& ($mac=NwaNormalizeMacAddress(GetAttr('Calling-Station-Id')))
&& ((!empty($user['id']) && NwaCreateUser(array(
'creator_accept_terms'=>1,
'mac'=>$mac,
'mac_auth'=>1,
'role_id'=>8,
'visitor_name'=>$user['username'],
'studnr'=>strtolower($user['username']),
'mac_auth_pair'=>$user['id'],
'modify_expire_time'=>'12h',
'auto_update_account'=>1)))
|| (empty($user['id']) && NwaCreateUser(array( 
'creator_accept_terms'=>1,
'role_id'=>8,
'mac'=>$mac,
'mac_auth'=>1,
'visitor_name'=>$user['username'], 
'studnr'=>strtolower(GetAttr('User-Name')), 
'modify_expire_time'=>'24h', 
'do_expire'=>4,
'auto_update_account'=>1)))
)
&& 0;

     

     

     



  • 3.  RE: Limiting automatic mac account creation?

    Posted Feb 28, 2012 11:59 PM

    Glad you figured it out.  The purpose of strtolower is to lowercase the username received from the RADIUS request and lowercase the matching parameter in Amigopod's database.  It is quite common for a samaccountname to be stored with uppercase characters such as "UserX1".  The GetUserCount function is case sensitive so if you searched for what most end user's would enter for their username, "userx1", the function wouldn't give any results.  By lowercasing both the input username and the AD/local username, you make the function case insensitive.

     

    Unfortunately, it is not possible to redirect a failed attempt to a page explaining why.  That will hopefully change when the controller support RADIUS reply message responses and can feed those back to an "explanation" page.

     

    You may want to consider not sending back AccessReject() if the user already has two devices registered.  The use case for this would be to only cache two MAC addresses for a user but still let the user on the network if they've reached their cached limit.

     

    Change

    ? (AccessReject() && 0) : 1)

    to:

    ? 0 : 1)

     



  • 4.  RE: Limiting automatic mac account creation?

    MVP
    Posted Mar 01, 2012 05:31 AM

    A few more questions..

     

    1)  I am using SMS receipts to have a 'sort of' authentication to the self-registered accounts. When I edit something as the duration of an account however SMS's are also being sent.

    Is it possible to choose when SMS's are being sent. For example: only on account creation or when an account passwd is changed? I cannot seem to find a setting for this.

     

    2) I'm using mac_auth_pair to link the mac-device that is created to the account that created it. I allow up to 3 devices to be created however. Any way to link all 3 devices to the account? Currently only the last device added seems to be linked.

     

     3) my customer indicated he'd rather have the self-registration boxes immediatly on the web login page we're serving all clients instead of having to click through to the guest_register page.

    I found the following function in the manual, which seems to be intended for exactly my problem but I cannot get it to include the guest_register.php file. It keeps complaining about being unable to read the resource.

    Anyone know what the exact syntax would be to include this guest_register.php file?

     

    {include file="public/included_file.html"}