Security

Hi,

 

I am planning to limit onboarding the devices based on groups. We have only one group now and users part of group can onboard unlimited number of devices.

 

Now i want to seggregate top management and employees. For top managemnent i want to allow unlimited onboarding .And for employees i want to limit it to only 1.

 

In onboard authroisation service, I understood that based on role derivation of employee group we can apply enforcement profile onboard limit 1 and attribute max-mdps-devices =1. Is that enough or else any more configuration is needed to stop employees from onboarding more than 1???

 

In provisioning settings,max devices is set to 0(unlimited)

 

Thanks

Sri

That is enough.  That radius attribute will override the general settings for an individual user.

 

I have a doubt here.

How does thsi radius attribute will stop user onboarding the 2nd device??Will it check onboard respository for the owner name??

 

If user brings in 2nd device and if he wants to onboard the 2nd device by removing access to 1st device. Should i have to revoke the certificate or delete deviice from onboard respository??

---

@srikanthsoogoor wrote:

I have a doubt here.

How does thsi radius attribute will stop user onboarding the 2nd device??Will it check onboard respository for the owner name??

 

If user brings in 2nd device and if he wants to onboard the 2nd device by removing access to 1st device. Should i have to revoke the certificate or delete deviice from onboard respository??

---

All the radius attribute does is set a limit for that particular username in Onboard.  When the user tries to onboard, this setting is then checked.  If the user reaches his limit, the user cannot onboard another device unless the administrator revokes or deletes his first entry.

Colin is correct...that's all that's needed.  IF the user wants to REPLACE this one allowed device, you can setup BYOD self-service where they can login themselves and delete the cert!

ya i got it.

 

But for IOS or MAC OSX first it does web prelogin-auth check as it does over the air provisioing and later it its the service onboard authorisation . So for IOS or MAC OSX is any extra configuration required????

 

Thanks

No

When you onboard a device it will tie that username to it ( doesn't matter if it's a windows, Mac, or android) and that will be checked in the back ground to see if that user could add another device through a build in database query triggered by the preauth check.

You have the option to check each time a device connects to see how many devices that user has. (Which I think you are asking about) That works fine in a environment like a school, hospital or for guest where you want to restrict a user from having a set number of Mac auth, non onboarded and .1x devices combined based on a group membership. But it does add over head on CPPM since you are doing a query every time a device connects instead of just check when they try adding another device.

If you are only allowing users to connect to the network only with a cert then they wouldn't be able to onboard another device until the other one is expired or revoked.

I hope this makes sense. Just let me know if you're still confused and I can add a few screen shots in the morning.

yes i got it.

 

the only way for iOS,MAC OSx,Android is get onboarded to get onto network. Its the requirement.

 

Thanks 

srikanth

If I use username abcd to onboard any device, if i try with same username im unable to onboard 2nd device it may be android or IOS or windows

 

But if i use username abcd to onboard android and domain\abcd for ios . i am able to onboard and its working fine.

 

But if i use username abcd to onboard android and domain\abcd for 2nd android . i am able to onboard but authentication is failed.

 

 

can anyone help me on this issue? i should stop IOS device from onboarding after android is onboarded

 

Can i stop users from giving domain\username by writing a role like

 

authorisation: AD groups onboardlimit 

     AND

Radius:ietf username not begins with domain name ( for example domain is abc)

 

if user enter Abc or ABC will it stop or considers it as case sensitive???

 

cheers

srikanth 

---

@srikanthsoogoor wrote:

Can i stop users from giving domain\username by writing a role like

 

authorisation: AD groups onboardlimit 

     AND

Radius:ietf username not begins with domain name ( for example domain is abc)

 

if user enter Abc or ABC will it stop or considers it as case sensitive???

 

cheers

srikanth 

---

You can Strip the contents of the username:  http://community.arubanetworks.com/aruba/attachments/aruba/aaa-nac-guest-access-byod/9087/1/2014-01-13%2012_01_32-ClearPass%20Policy%20Manager%20-%20Aruba%20Networks.png, but that might not be enough.  

 

If that does not work you might have to enable "User Inner Identity in Accept Reply" as well:

---

@cjoseph wrote:

---

@srikanthsoogoor wrote:

Can i stop users from giving domain\username by writing a role like

 

authorisation: AD groups onboardlimit 

     AND

Radius:ietf username not begins with domain name ( for example domain is abc)

 

if user enter Abc or ABC will it stop or considers it as case sensitive???

 

cheers

srikanth 

---

You can Strip the contents of the username:  http://community.arubanetworks.com/aruba/attachments/aruba/aaa-nac-guest-access-byod/9087/1/2014-01-13%2012_01_32-ClearPass%20Policy%20Manager%20-%20Aruba%20Networks.png, but that might not be enough.  

 

If that does not work you might have to enable "User Inner Identity in Accept Reply" as well:

 

 

If i enable user inner identity in access-accept reply, i would see in access tracker as username instead of domain\username ri8?

 

if that is the case, then onboard authroisation service will use user inner identity to onboard the device even if he give domain\username . it would consider only username to onboard or wat?

 

if i strip the username in the service,it would use only striped string to check the  authentication ri8?  or will it user striped string  as owner in the onboard???

 

If you use both parameters, it should return it without the \domain.  Try it.

 

---

@cjoseph wrote:

If you use both parameters, it should return it without the \domain.  Try it.

 

---

I have used both the parameters in onboard authroisation i used strip username rules \:user and in radius service parameters i havve enable user inner identity. But still i am able to onboard the device if i give domain\username.

 

I guess it would be fine if i write 

 authorisation: AD  groups onboardlimit1 && radius ietf: username doesnt contain  \ ( seprator between domain and username)

 

cheers 

srikanth 

                                           

---

@srikanthsoogoor wrote:

---

@cjoseph wrote:

If you use both parameters, it should return it without the \domain.  Try it.

 

---

I have used both the parameters in onboard authroisation i used strip username rules \:user and in radius service parameters i havve enable user inner identity. But still i am able to onboard the device if i give domain\username.

 

I guess it would be fine if i write 

 authorisation: AD  groups onboardlimit1 && radius ietf: username doesnt contain  \ ( seprator between domain and username)

 

cheers 

srikanth 

                                           

---

What version of CPPM are you using? I believe there was a bug where the strip domain wasn't working correctly. If you are at the latest please open a TAC case. 

Hello, 

 

I would love to have a bit more detailed description on how to create these checks and  enforcement profiles. So of you have the time to post some sceens it would would be greatly appreciated.

 

Thanks,

 

Tomas

---

@tlilja wrote:

Hello, 

 

I would love to have a bit more detailed description on how to create these checks and  enforcement profiles. So of you have the time to post some sceens it would would be greatly appreciated.

 

Thanks,

 

Tomas

---

Tomas,

 

What are you trying to accomplish. Here is an example of my onboard auth.

 

I'm  trying to make three diffrent profiles for onboard: 1, 2 and unlimited number of devices and i was unsure how to do it. But now i have an example to work from and i'll try to modify my existing config to make it work.

 

Many thanks, 

Tomas