Security

Reply
Frequent Contributor I
Posts: 83
Registered: ‎06-27-2007

Onboard Device Limits by Group

In ClearPass 6.1 with OnBoard, what is the proper way to enforce different maximum onboarded devices limits by user group?  Should this be done using unique provisioning settings pages with the Max Devices option or through role mappings in the Onboard Authorization service?  If the latter, is it just a matter of sending something in the enforcement profile (Aruba-Mdps-Max-Devices?) or is there more configuration involved? 


Thanks!

 

Guru Elite
Posts: 20,761
Registered: ‎03-29-2007

Re: Onboard Device Limits by Group

The latter and there is no more configuration needed after sending the attribute.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I
Posts: 83
Registered: ‎06-27-2007

Re: Onboard Device Limits by Group

Thanks Colin,

 

For iOS devices (which do two authorization checks), should this attribute be returned in both or just the second authorization check?  

 

Will this result in users receiving a message indicating that their device allowance has been reached? 

Guru Elite
Posts: 20,761
Registered: ‎03-29-2007

Re: Onboard Device Limits by Group

The first one is all that is needed.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 7
Registered: ‎06-05-2013

Re: Onboard Device Limits by Group

[ Edited ]

So I have setup two services, one which handles the Pre-Auth request from the web GUI and also returns the Aruba-Mdps-Max-Devices, and a second service which handles the second auth request and just returns a radius accept for users in certain roles. I have Aruba-Mdps-Max-Devices set to 1. So far, I have onboarded three devices using the same account. Access tracker shows the roles are being assigned properly and the radius response from the Pre-Auth request includes Aruba-Mdps-Max-Devices 1. Any ideas why this is happening?

 

Request Details Summary -
 Session Identifier: R00000045-03-51b5ece7
 Date and Time: Jun 10, 2013 11:12:39 EDT
 Username: onboardt2
 End-Host Identifier: 00:23:12:55:a0:5f
 Access Device IP/Port: 127.0.0.1:0
 Audit Posture Status: UNKNOWN (100)
 System Posture Status: UNKNOWN (100)
 Login Status: ACCEPT

Policies Used -
 Service: GPS-Onboard-PreAuth
 Authentication Method: PAP
 Authentication Source: AD:dc.ssav.com
 Authorization Source: GP-AD
 Roles: Onboard-1-Device, [User Authenticated]
 Enforcement Profiles: Onboard - Limit 1 Device
 Service Monitor Mode: Disabled

Input RADIUS Attributes -
 Radius:Aruba:Aruba-Essid-Name = GP-OBSecure
 Radius:Aruba:Aruba-Port-Id = device_provisioning
 Radius:IETF:Calling-Station-Id = 00:23:12:55:a0:5f
 Radius:IETF:Connect-Info = 10.90.10.3
 Radius:IETF:Event-Timestamp = 4450374-05-02 01:00:23
 Radius:IETF:Framed-IP-Address = 10.90.10.3
 Radius:IETF:Login-IP-Host = 10.90.0.90
 Radius:IETF:NAS-Identifier = cppm.ssav.com
 Radius:IETF:NAS-IP-Address = 127.0.0.1
 Radius:IETF:NAS-Port = 0
 Radius:IETF:NAS-Port-Type = 15
 Radius:IETF:Service-Type = 17
 Radius:IETF:User-Name = onboardt2

Input Computed Attributes -
 Authentication:ErrorCode = 0
 Authentication:Full-Username = onboardt2
 Authentication:MacAuth = NotApplicable
 Authentication:NetBIOS-Name = SSAV
 Authentication:OuterMethod = PAP
 Authentication:Posture = Unknown
 Authentication:Source = GP-AD
 Authentication:Status = User
 Authentication:Username = onboardt2
 Authorization:Sources = GP-AD
 Connection:Client-Mac-Address = 00:23:12:55:a0:5f
 Connection:Client-Mac-Address-Colon = 00:23:12:55:a0:5f
 Connection:Client-Mac-Address-Dot = 0023.1255.a05f
 Connection:Client-Mac-Address-Hyphen = 00-23-12-55-a0-5f
 Connection:Client-Mac-Address-NoDelim = 00231255a05f
 Connection:Client-Mac-Vendor = Apple, Inc
 Connection:Dest-IP-Address = 127.0.0.1
 Connection:Dest-Port = 1812
 Connection:NAD-IP-Address = 127.0.0.1
 Connection:Protocol = RADIUS
 Connection:Src-IP-Address = 127.0.0.1
 Connection:Src-Port = 56843
 Connection:SSID = GP-OBSecure

Input Authorization Attributes -
 Authorization:GP-AD:All Groups = Faculty
 Authorization:GP-AD:memberOf = CN=Faculty,OU=MainUsers,DC=ssav,DC=com
 Authorization:GP-AD:UserDN = CN=onboard t2,OU=MainUsers,DC=ssav,DC=com

Output RADIUS Attributes -
 Radius:Aruba:Aruba-Mdps-Max-Devices = 1

 

Frequent Contributor I
Posts: 83
Registered: ‎06-27-2007

Re: Onboard Device Limits by Group

Just tested this in my lab as well.  Set Aruba-Mdps-Max-Devices = 1 in the Enforcement Profile for iOS onboard authorization service. I was still able to onboard two devices.  Am I missing something...

 

Aruba
Posts: 1,540
Registered: ‎06-12-2012

Re: Onboard Device Limits by Group

Do you have insight enabled and is it an authorization source for your service?

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Frequent Contributor I
Posts: 83
Registered: ‎06-27-2007

Re: Onboard Device Limits by Group

I did have Insight enabled however I did not have Insight specified an authorization source. I just set Insight as an authorization source for the iOS onboard authorization service however I was still able to onboard two different devices when the enforcement profile should be limiting me to one...

 

Aruba
Posts: 1,540
Registered: ‎06-12-2012

Re: Onboard Device Limits by Group

Make sure in your service you enable insight as an authorizeation source and in the enforcement you use that source.

 

devicecount.png

 

Here are a few example ones that I use for Guests.

 

devicecountguest.png

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Frequent Contributor I
Posts: 83
Registered: ‎06-27-2007

Re: Onboard Device Limits by Group

OK, I am confused now.  When you said enable Insight as an authorization source in your service, I enabled the [Insight Repository] as an authorization source.  Your screenshots seem to indicate that you are referring to the [Endpoints Repository] authorization source.

 

 

My best understanding (from talking to TAC and from Colin's post above) is that I should be returning the Aruba:RADIUS attribute Aruba-MDPS-Max-Devices = X  in the Enforcement Profile for my iOS onboard authorization role in order to limit the number of unique devices which a particular user can onboard and give users an error message when they exceed this limit.  This is unfortunately not working for me.  I am hoping this is because I am missing something simple. 

 

Your examples show a different approach however from the look of it, this would result in users who have exceeded their device allowance getting a plain RADIUS Reject.  This would show up as a username/password failure in the onboard process with no indication to the user what the cause is - correct? 

 

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: