Security

In ClearPass 6.1 with OnBoard, what is the proper way to enforce different maximum onboarded devices limits by user group?  Should this be done using unique provisioning settings pages with the Max Devices option or through role mappings in the Onboard Authorization service?  If the latter, is it just a matter of sending something in the enforcement profile (Aruba-Mdps-Max-Devices?) or is there more configuration involved? 

Thanks!

 

The latter and there is no more configuration needed after sending the attribute.

Thanks Colin,

 

For iOS devices (which do two authorization checks), should this attribute be returned in both or just the second authorization check?  

 

Will this result in users receiving a message indicating that their device allowance has been reached? 

The first one is all that is needed.

So I have setup two services, one which handles the Pre-Auth request from the web GUI and also returns the Aruba-Mdps-Max-Devices, and a second service which handles the second auth request and just returns a radius accept for users in certain roles. I have Aruba-Mdps-Max-Devices set to 1. So far, I have onboarded three devices using the same account. Access tracker shows the roles are being assigned properly and the radius response from the Pre-Auth request includes Aruba-Mdps-Max-Devices 1. Any ideas why this is happening?

 

Request Details Summary -
 Session Identifier: R00000045-03-51b5ece7
 Date and Time: Jun 10, 2013 11:12:39 EDT
 Username: onboardt2
 End-Host Identifier: 00:23:12:55:a0:5f
 Access Device IP/Port: 127.0.0.1:0
 Audit Posture Status: UNKNOWN (100)
 System Posture Status: UNKNOWN (100)
 Login Status: ACCEPT

Policies Used -
 Service: GPS-Onboard-PreAuth
 Authentication Method: PAP
 Authentication Source: AD:dc.ssav.com
 Authorization Source: GP-AD
 Roles: Onboard-1-Device, [User Authenticated]
 Enforcement Profiles: Onboard - Limit 1 Device
 Service Monitor Mode: Disabled

Input RADIUS Attributes -
 Radius:Aruba:Aruba-Essid-Name = GP-OBSecure
 Radius:Aruba:Aruba-Port-Id = device_provisioning
 Radius:IETF:Calling-Station-Id = 00:23:12:55:a0:5f
 Radius:IETF:Connect-Info = 10.90.10.3
 Radius:IETF:Event-Timestamp = 4450374-05-02 01:00:23
 Radius:IETF:Framed-IP-Address = 10.90.10.3
 Radius:IETF:Login-IP-Host = 10.90.0.90
 Radius:IETF:NAS-Identifier = cppm.ssav.com
 Radius:IETF:NAS-IP-Address = 127.0.0.1
 Radius:IETF:NAS-Port = 0
 Radius:IETF:NAS-Port-Type = 15
 Radius:IETF:Service-Type = 17
 Radius:IETF:User-Name = onboardt2

Input Computed Attributes -
 Authentication:ErrorCode = 0
 Authentication:Full-Username = onboardt2
 Authentication:MacAuth = NotApplicable
 Authentication:NetBIOS-Name = SSAV
 Authentication:OuterMethod = PAP
 Authentication:Posture = Unknown
 Authentication:Source = GP-AD
 Authentication:Status = User
 Authentication:Username = onboardt2
 Authorization:Sources = GP-AD
 Connection:Client-Mac-Address = 00:23:12:55:a0:5f
 Connection:Client-Mac-Address-Colon = 00:23:12:55:a0:5f
 Connection:Client-Mac-Address-Dot = 0023.1255.a05f
 Connection:Client-Mac-Address-Hyphen = 00-23-12-55-a0-5f
 Connection:Client-Mac-Address-NoDelim = 00231255a05f
 Connection:Client-Mac-Vendor = Apple, Inc
 Connection:Dest-IP-Address = 127.0.0.1
 Connection:Dest-Port = 1812
 Connection:NAD-IP-Address = 127.0.0.1
 Connection:Protocol = RADIUS
 Connection:Src-IP-Address = 127.0.0.1
 Connection:Src-Port = 56843
 Connection:SSID = GP-OBSecure

Input Authorization Attributes -
 Authorization:GP-AD:All Groups = Faculty
 Authorization:GP-AD:memberOf = CN=Faculty,OU=MainUsers,DC=ssav,DC=com
 Authorization:GP-AD:UserDN = CN=onboard t2,OU=MainUsers,DC=ssav,DC=com

Output RADIUS Attributes -
 Radius:Aruba:Aruba-Mdps-Max-Devices = 1

 

Just tested this in my lab as well.  Set Aruba-Mdps-Max-Devices = 1 in the Enforcement Profile for iOS onboard authorization service. I was still able to onboard two devices.  Am I missing something...

 

Do you have insight enabled and is it an authorization source for your service?

I did have Insight enabled however I did not have Insight specified an authorization source. I just set Insight as an authorization source for the iOS onboard authorization service however I was still able to onboard two different devices when the enforcement profile should be limiting me to one...

 

Make sure in your service you enable insight as an authorizeation source and in the enforcement you use that source.

 

 

Here are a few example ones that I use for Guests.

 

OK, I am confused now.  When you said enable Insight as an authorization source in your service, I enabled the [Insight Repository] as an authorization source.  Your screenshots seem to indicate that you are referring to the [Endpoints Repository] authorization source.

 

 

My best understanding (from talking to TAC and from Colin's post above) is that I should be returning the Aruba:RADIUS attribute Aruba-MDPS-Max-Devices = X  in the Enforcement Profile for my iOS onboard authorization role in order to limit the number of unique devices which a particular user can onboard and give users an error message when they exceed this limit.  This is unfortunately not working for me.  I am hoping this is because I am missing something simple. 

 

Your examples show a different approach however from the look of it, this would result in users who have exceeded their device allowance getting a plain RADIUS Reject.  This would show up as a username/password failure in the onboard process with no indication to the user what the cause is - correct? 

 

 

Endpoint authorization does limit the devices, however, that's not exactly what I was going for. Like Drew says, this showed an Invalid username or password message on the captive portal page when I tried it. Aruba-MDPS-Max-Devices doesn't work for me, either. I would like users to see an onboard device limit exceeded message, or something like that. Is this possible? What could cause Aruba-MDPS-Max-Devices to not work?

Sorry about that Ive been working on a couple dozen projects. 

 

So what you want to do is make an enforment policy that will use the max MDPS. Is this what you tried and didnt work?

 

Exactly. This isn't working. :(

Here's the policy:

How are you assigning the role?

and what is being shown in the access tracker

Request Details Summary -
 Session Identifier: R0000002e-01-51b77e24
 Date and Time: Jun 11, 2013 15:44:36 EDT
 Username: onboardt2
 End-Host Identifier: 28:6a:ba:ea:9c:9f
 Access Device IP/Port: 127.0.0.1:0
 Audit Posture Status: UNKNOWN (100)
 System Posture Status: UNKNOWN (100)
 Login Status: ACCEPT

Policies Used -
 Service: GPS-PreAuthentication
 Authentication Method: Authorize
 Authentication Source: None
 Authorization Source: [Endpoints Repository], GPS-AD
 Roles: Onboard-1-Device
 Enforcement Profiles: Onboard 1 Device
 Service Monitor Mode: Disabled

Input RADIUS Attributes -
 Radius:Aruba:Aruba-Essid-Name = GPS-OBSecure
 Radius:Aruba:Aruba-Port-Id = device_provisioning
 Radius:IETF:Calling-Station-Id = 28:6a:ba:ea:9c:9f
 Radius:IETF:Connect-Info = 10.0.10.1
 Radius:IETF:Event-Timestamp = 2013-06-11 15:44:36
 Radius:IETF:Framed-IP-Address = 10.0.10.1
 Radius:IETF:Login-IP-Host = 10.0.0.90
 Radius:IETF:NAS-Identifier = gpscp.ssavserver.com
 Radius:IETF:NAS-IP-Address = 127.0.0.1
 Radius:IETF:NAS-Port = 0
 Radius:IETF:NAS-Port-Type = 15
 Radius:IETF:Service-Type = 17
 Radius:IETF:User-Name = onboardt2

Input Computed Attributes -
 Authentication:ErrorCode = 0
 Authentication:Full-Username = onboardt2
 Authentication:Full-Username-Normalized = onboardt2
 Authentication:MacAuth = NotApplicable
 Authentication:OuterMethod = Authorize
 Authentication:Posture = Unknown
 Authentication:Status = None
 Authentication:Username = onboardt2
 Authorization:Sources = [Endpoints Repository], GPS-AD
 Connection:Client-Mac-Address = 28:6a:ba:ea:9c:9f
 Connection:Client-Mac-Address-Colon = 28:6a:ba:ea:9c:9f
 Connection:Client-Mac-Address-Dot = 286a.baea.9c9f
 Connection:Client-Mac-Address-Hyphen = 28-6a-ba-ea-9c-9f
 Connection:Client-Mac-Address-NoDelim = 286abaea9c9f
 Connection:Client-Mac-Vendor = Apple, Inc.
 Connection:Dest-IP-Address = 127.0.0.1
 Connection:Dest-Port = 1812
 Connection:NAD-IP-Address = 127.0.0.1
 Connection:Protocol = RADIUS
 Connection:Src-IP-Address = 127.0.0.1
 Connection:Src-Port = 34159
 Connection:SSID = GPS-OBSecure

Input Authorization Attributes -
 Authorization:GPS-AD:All Groups = GHS Faculty
 Authorization:GPS-AD:memberOf = CN=GHS Faculty,OU=MainUsers,DC=ssavserver,DC=com
 Authorization:GPS-AD:UserDN = CN=onboard t2,OU=MainUsers,DC=ssavserver,DC=com

Output RADIUS Attributes -
 Radius:Aruba:Aruba-Mdps-Max-Devices = 1

 

And you said that it does deny the 2 device when you get the install profile on the device or is it just letting it on.

I was able to onboard a second device without issue, last night. Right now though, I am getting profile invalid errors on other devices I'm trying to onboard with the same user name, even after clearing the onboard repository and deleting the client certificate. I'm not sure what the problem is. Seems like a separate issue. I know for a fact that I have successfully onboarded three devices even with mdps max set to 1.

Further testing shows that the Mdps-Max-Devices attribute DOES work as expected for both Android and Windows devices.  These platforms both have native onboarding apps.  Apple devices however rely on a web page for onboard authorization before going into the over-the-air provisioning process.  It appears that this web page is not abiding the Mdps-Max-Devices attribute.  

 

I am at a loss trying to think of what else we can change in the configuration to make this work.  Are any other users encountering this issue with ClearPass 6.1.X? 

I am having exactly the same issue.

ever got further on this, or does it remain an issue?

We did get to the bottom of it eventually.  Part of the problem was that we did not realize (because it was not documented anywhere) that the "Invalid Profile" message iOS devices were receiving was not some weird bug, but the result of the mdps-max-devices attribute being applied.  Apparently due to the constraints of the iOS over-the-air provisioning method, ClearPass could not return a sane error message indicating that a user had already onboarded their maximum allowed devices.  Instead, it just sends out a bogus provisioning profile and leaves the user scratching their head as to why things went wrong.

 

This problem was combined with the other issue that we ran into which is that ClearPass was treating usernames as case sensitive during the onboard authorization process.  This resulted in users being able to exceed the max devices limit by changing the case of any letters in their user names (e.g. - tom, Tom, and toM were all being treated as different users).  iOS has a tendency to capitalize the first letter of usernames...

 

I am glad to say that these issues have been (mostly) resolved in the 6.1.2 patch release.  There is now a check box to disregard case-sensitivity in usernames and now an explanatory error message is displayed after the "invalid profile" message during iOS onboarding if users are smart enough to switch back to the web browser to see it. 

 

Anyway, thanks for the assistance in this everyone!