Security

Is there any documentation/tutorials that walks you through how to do MAC authentication on non 802.1x devices that have static IP addresses?  I am looking to build a MAC Auth service that will profile various devices (PLCs, cameras, routers, video decoders) and put them onto the private network, and force non 802.1x computers (Guest visitors/vendros) to an internet only VLAN.

 

Is there any docs that show how to build such a service?  I understand there are various to profile a device (NMAP, SNMP, NESUS, MAC OUI), but how do you use these methods in a service?

 

Thanks for your help ahead of time.

 

Mark

Does this help?

 

 

 

 

 

Thanks Tim.  It does help, but I am not sure what the enforcement profile (ROLE_PROFILE) look like.  If not too much trouble, can you show how that profile is built? I am looking to see how the device is profiled and can be classified as a certain type of device.  There must something else that needs configured to determine the device type.  I would assume if you used SNMP or NMAP that there is configurations that can read into a response to determine the device type. 

 

Am I even in the ballpark on this works?

 

Thanks again for taking the time to show me the screenshots above.

The profile role is just a controller role that only allows DHCP only. This allows profiling to occur and then once ClearPass gets the initial profile, it will bump the user so that they can authenticate against other rules in your enforcement policy. 

Same idea with nmap. You can give the device an audit state based on rules you set. So you could give temporary Internet only access until a device was audited or profile and then change the devices role. 


There will be some additional profiling options in the upcoming 6.5 release so stay tuned for that.


Thanks, 
Tim

Thanks Tim,

 

I am just trying to understand how to use something like the NMAP feature to further profile and change the access of a static device.

With MAC AUTH is there a way to give different device types different network access.  For example:

 

If I have an Security camera using MAC auth, can I allow it to connect to the internal network VLAN A, and then have guest user's PC using MAC AUTH and configure them to use VLAN B.

 

If so, how do you get the device profiled to know if it is a security camera versus a guest PC?

This is done via DHCP profiling. Do you have helper addresses configured to point to ClearPass? 

Once the device is profiled, you map the device category/family/device name (derived from the profile) to an enforcement profile. The enforcement profile(s) are what get sent down to the switch/controller. 

This is what's shown in the second to last screenshot above. 


Thanks, 
Tim

Thanks Tim.  That is my problem the endpoint is not getting profiled.  It is a static IP address device.  It will never send a DHCP request.  I have the helper-address pointing to ClearPass and that works well for PCs and other devices doing DHCP. 

 

How do you get a static IP address device profiled?

 

Gotcha. You can use subnet scanning and also Cisco Device Sensor. 

Take a look here 

http://community.arubanetworks.com/aruba/attachments/aruba/aaa-nac-guest-access-byod/15505/1/Cisco%20Device%20Sensor%20Reference%20Configuration%20for%20CPPM%20Profiling.pdf

Thanks, 
Tim

Tim, I have seen this doc, but doesn't help my situation with something like a PLC (Programmable Logic Controller).    But the PLC does support SNMP.  Isn't there a way to have CPPM query the endpoint via SNMP (public) to get back info to profile it.  I am looking for seomthing like this.  Is that possible or am I barking up the wrong tree?

 

I am trying to determine if there are automated ways to profile static IP address devices immediately when they connect, or am I going to have to maintain some sort of Static Host Table. 

 

Doesn't the subnet scan happen at pre-defined time intervals?

You can enable the audit feature on the service which can run NESSUS or nmap scans against the device and then bump it off so it can reauthenticate.

 

 

In the configuration for NESSUS and/or nmap, you can write rules that map certain information returned by the scan to a ClearPass role which you can use in your enforcement to make a decision.

 

Thanks for your help Tim.  I will check this out tomorrow.  Are there any docs out there that show the kinds of attributes that can be mapped to roles?  Also, is there anyway to see a debug of the returned nmap scan to know what data is there to work with?

I know this topic is from 2 years ago. I have same needs, but as Clearpass is not aware of the IP address of the device, i don't see how the NMAP is going to work to do the scan.

 

Any ideas on how proceed in this case?

 

Thanks!