Security

last person joined: 2 days ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Possible to rewrite Access-Accept?

This thread has been viewed 2 times

  • 1.  Possible to rewrite Access-Accept?

    Posted Feb 21, 2014 03:44 PM

    Is it possible to modify the Access-Accept message to sanitize certain fields based on policy?  For example if an internal controller makes a request return the inner identity for the User-Name, if the request is from another institution return the outer identity?  I've done this using Radiator, but not sure whether Clearpass has this capability.



  • 2.  RE: Possible to rewrite Access-Accept?

    Posted Feb 26, 2014 06:06 AM

    Not quite sure what you mean by "sanitize certain fields", but you can return whatever Radius message you want along with the Access-Accept. It's up to the receiving end how to interpret and do something with it.

     

    You create one or more Enforcement Profiles that has the various return messages you want to send.

    Then create the Enforcement Profile that has the criterie for triggering the Enf Profiles.

     

    In this scenario I'm thinking it would be wise to create Device Group and use this as the check for the various Radius messages to return.

     

    network-device-groups.png

     

     

    The enf-profile (change and create according to your needs)

    enf-profile-example.png

     

    The the Enf policy

    enforcement-policy.png

     

     



  • 3.  RE: Possible to rewrite Access-Accept?

    Posted Feb 26, 2014 06:53 AM

    John,

     

    Thank you for your response.  I've tried your suggestion, but it appears to only allow me to add attributes and not alter exsting attributes.  If you have any other suggestions, please let me know.

     

    Custom Enforcement Profile

     

     

    custom-enforcement-profile.PNG

     

    Results of Custom Enforcement Profile (using eapol_test)

     

    custom-enforcement-profile-results.PNG



  • 4.  RE: Possible to rewrite Access-Accept?

    Posted Feb 26, 2014 06:57 AM

    Yea I suspected that might be the case - I encountered the same thing when doing this on a Cisco 5760 so there might be another trick to doing this. I had thought enabling "AAA override" and "nav" should permit this, but seems not.

     

    What kind of WLC/Switch are you running?



  • 5.  RE: Possible to rewrite Access-Accept?

    Posted Feb 26, 2014 08:47 AM

    The "internal" devices that we have are Aruba wireless controllers, but the "external" devices could be any make/brand of switch/controller (part of an eduroam radius proxy federation).  Thanks.



  • 6.  RE: Possible to rewrite Access-Accept?

    Posted Feb 26, 2014 08:52 AM

    You said you had done this using Radiator AAA server. Wouldn't that be using the same type of return messages to the controllers?



  • 7.  RE: Possible to rewrite Access-Accept?

    Posted Feb 26, 2014 09:15 AM

    This is a bit of restating the problem, but hopefully it answers your requestion.

     

    In Radiator you can opt to send the inner-identity back on the equivalent of a per-device group basis for the Access-Accept.  i.e.

     

    1. external device connects: send back outer identity for User-Name

    2. internal device connects: send back inner identity for User-Name

     

    In Clear Pass this seems to be a global option.

     

    Ideally I would be able to override the global option on a per-device group basis.  The alternative is to have a dedicated clear pass server for internal vs. external devices (not ideal) or perform the rewrite/drop of the User-Name after clear pass sends back an Access-Accept.