Security

Reply
Occasional Contributor I
Posts: 7
Registered: ‎02-13-2014

Possible to rewrite Access-Accept?

Is it possible to modify the Access-Accept message to sanitize certain fields based on policy?  For example if an internal controller makes a request return the inner identity for the User-Name, if the request is from another institution return the outer identity?  I've done this using Radiator, but not sure whether Clearpass has this capability.

MVP
Posts: 507
Registered: ‎05-11-2011

Re: Possible to rewrite Access-Accept?

Not quite sure what you mean by "sanitize certain fields", but you can return whatever Radius message you want along with the Access-Accept. It's up to the receiving end how to interpret and do something with it.

 

You create one or more Enforcement Profiles that has the various return messages you want to send.

Then create the Enforcement Profile that has the criterie for triggering the Enf Profiles.

 

In this scenario I'm thinking it would be wise to create Device Group and use this as the check for the various Radius messages to return.

 

network-device-groups.png

 

 

The enf-profile (change and create according to your needs)

enf-profile-example.png

 

The the Enf policy

enforcement-policy.png

 

 


Regards
John Solberg

-ACMX #316 :: ACCP-
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Occasional Contributor I
Posts: 7
Registered: ‎02-13-2014

Re: Possible to rewrite Access-Accept?

John,

 

Thank you for your response.  I've tried your suggestion, but it appears to only allow me to add attributes and not alter exsting attributes.  If you have any other suggestions, please let me know.

 

Custom Enforcement Profile

 

 

custom-enforcement-profile.PNG

 

Results of Custom Enforcement Profile (using eapol_test)

 

custom-enforcement-profile-results.PNG

MVP
Posts: 507
Registered: ‎05-11-2011

Re: Possible to rewrite Access-Accept?

Yea I suspected that might be the case - I encountered the same thing when doing this on a Cisco 5760 so there might be another trick to doing this. I had thought enabling "AAA override" and "nav" should permit this, but seems not.

 

What kind of WLC/Switch are you running?


Regards
John Solberg

-ACMX #316 :: ACCP-
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Occasional Contributor I
Posts: 7
Registered: ‎02-13-2014

Re: Possible to rewrite Access-Accept?

The "internal" devices that we have are Aruba wireless controllers, but the "external" devices could be any make/brand of switch/controller (part of an eduroam radius proxy federation).  Thanks.

MVP
Posts: 507
Registered: ‎05-11-2011

Re: Possible to rewrite Access-Accept?

You said you had done this using Radiator AAA server. Wouldn't that be using the same type of return messages to the controllers?


Regards
John Solberg

-ACMX #316 :: ACCP-
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Occasional Contributor I
Posts: 7
Registered: ‎02-13-2014

Re: Possible to rewrite Access-Accept?

This is a bit of restating the problem, but hopefully it answers your requestion.

 

In Radiator you can opt to send the inner-identity back on the equivalent of a per-device group basis for the Access-Accept.  i.e.

 

1. external device connects: send back outer identity for User-Name

2. internal device connects: send back inner identity for User-Name

 

In Clear Pass this seems to be a global option.

 

Ideally I would be able to override the global option on a per-device group basis.  The alternative is to have a dedicated clear pass server for internal vs. external devices (not ideal) or perform the rewrite/drop of the User-Name after clear pass sends back an Access-Accept.

 

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: