Security

Reply
Contributor II
Posts: 61
Registered: ‎07-01-2013

Maximum Onboard devices determined by AD group (or other policy)

I have a customer with a requirement which, at the surface, seemed like it couldn't be accomplished with ClearPass, but I ultimately found a way and I'd like to share the solution.

 

The requirement was that most users at the company were allowed to Onboard 3 devices, but members of a particular AD group (let's call this group "Spartan") were allowed to Onboard 10 devices.

 

The only place that "maximum devices" can be specified is in the Provisioning Settings in Onboard. Within the Policy Manager side, there is no simple attribute that shows up in Access Tracker that indicated how many devices had been Onboarded so far, and the Onboarded devices didn't show up with any particularly helpful attributes in the Endpoints database to assist with this either, so I thought it wasn't going to be possible to accomplish this requirement without some really strange workaround.

 

After lots of trial and error, a TAC call, and some outside-the-box thinking, I finally found a working solution.

 

First get Onboard working for a maximum of 3 devices. For reference, the Web Login Page Name I used for this profile was "onboard3".

 

Then, duplicate your Provisioning Settings. Change your maximum devices in this duplicate profile to 10. Change the Web Login Page Name to something new. The Web Login Page Name I used is "onboard10".

 

Next, go to your Onboard Pre-Auth service in Policy Manager. Set up your Enforcement profile as such:

 

SELECT FIRST MATCH

 

Rule 1:

 

  • IF Authorization:AD memberOf CONTAINS Spartan, AND
  • Application:ClearPass Page-Name EQUALS onboard10, THEN
  • [Allow Application Access Profile]

 

Rule 2:

  • IF Authorization:AD memberOf NOT_CONTAINS Spartan, AND
  • Application:ClearPass Page-Name EQUALS onboard3, THEN
  • [Allow Application Access Profile]

Default Profile: [Deny Application Access Profile]

 

You'll notice I check for the presense of "Spartan" for both onboard3 and onboard10. THIS IS IMPORTANT! If you do not include the NOT_CONTAINS check in Rule 2, then a member of "Spartan" will be able to Onboard 10 devices from onboard10 and 3 devices from onboard3 for a total of 13 devices.

 

Now just direct your users to the right page name depending on whether they are part of the group or not and you are good to go.

 

Tim Haynie, ACMX #508, ACDX #384, ACCP, CWSP, CWAP, CWDP, CCNP R/S, CCNP Wireless, CCNA Security, CCDA
Guru Elite
Posts: 8,456
Registered: ‎09-08-2010

Re: Maximum Onboard devices determined by AD group (or other policy)

[ Edited ]

You can also do it during Onboard Authorization by returning a value with the "ClearPass:Onboard-Max-Devices" RADIUS application attribute. This would allow you to keep the same provisioning profile.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor II
Posts: 61
Registered: ‎07-01-2013

Re: Maximum Onboard devices determined by AD group (or other policy)

Tim - Does that imply that your Authorization Method must be RADIUS instead of App Auth?  Also, I don't see the "ClearPass:Onboard-Max-Devices" attribute in the Aruba RADIUS dictionary.

 

I guess I'm not following how that would be done; could you be a little more explicit for me?

Tim Haynie, ACMX #508, ACDX #384, ACCP, CWSP, CWAP, CWDP, CCNP R/S, CCNP Wireless, CCNA Security, CCDA
Guru Elite
Posts: 8,456
Registered: ‎09-08-2010

Re: Maximum Onboard devices determined by AD group (or other policy)

Sorry that should have read application (there is also a RADIUS attribute as well). See the examples below:

 

onboard-authz-unlimited.JPG

 

onboard-enf-unlimited.JPG

 

 

 


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor II
Posts: 61
Registered: ‎07-01-2013

Re: Maximum Onboard devices determined by AD group (or other policy)

**bleep** Tim, that's way more inside-the-box thinking - not that's it's a bad thing in this case; quite the opposite actually, much cleaner. One day I'll post something you don't know... One day.

 

I haven't tested this yet but I assume it works because I know your reputation.

Tim Haynie, ACMX #508, ACDX #384, ACCP, CWSP, CWAP, CWDP, CCNP R/S, CCNP Wireless, CCNA Security, CCDA
Search Airheads
Showing results for 
Search instead for 
Did you mean: