Security

Reply
Frequent Contributor II

Profile based enforcement

 

Actually as I'm writing this, my other services in production are no longer profiling any devices. Is there a way to restart the profiling service?

--------

 

I'm running into a problem in a new service I'm creating. I'll list the requirements, followed by my current rules. This is an EAP-PEAP-

MSCHAPv2 auth type.

 

We require SmartDevices to be put on a seperate VLAN from domain computers. We would like SmartDevices to be on the same VLAN as domain computers if the user account has an AD membership that allows this access.

 

 

The AD part is all well and good, but I'm having problems with the profiling, as a device that hasn't been profiled can't match many enforcement rules. So for the below rule, if it is a smart device, belongs to this AP group, and is corporate ownership, apply this VLAN.

2017-04-04_14h42_01.png

 

 

however if it is the devices first time connecting, it won't have been profiled, and therefore won't hit the right vlan.

 

Is there a better practice I should be using?

Is there a way to do profiling such as:

endpoint:isProfiled = false, enforce CoA profiling

 

Any thoughts are greatly appreciated.

Re: Profile based enforcement

Are you able to successfully CoA the device?

Get Outlook for iOS
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Frequent Contributor II

Re: Profile based enforcement

No devices are going through CoA anymore or profiling. 

They were earlier today.

Re: Profile based enforcement

The best way to try this is using a test device that authenticated successfully to the network via ClearPass and search the MAC address in access tracker and do a change of authorization from there and see if it works

Get Outlook for iOS
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Frequent Contributor II

Re: Profile based enforcement

I tired the Manual CoA from access tracker and it reported a success, but the device did not go through CoA, device also didn't profile

Frequent Contributor II

Re: Profile based enforcement

I just tried the CoA again, this time the got profiled. I then deleted the endpoint and tried again. The device failed the CoA.

I tried it again, and it succeeded the CoA, but didn't profile.

 

I've just done this on 2 different androids with accounts that have the same details. they only profile occasionally, and inconsitently on both devices.

 

I feel clearpass is acting up

Guru Elite

Re: Profile based enforcement

You need to create a rule at the top that checks if the profile category NOT_EXISTS and drop the user into a profiling role.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Guru Elite

Re: Profile based enforcement

These are IAPs? Be sure Dynamic RADIUS Proxy is enabled.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor II

Re: Profile based enforcement

These are IAPS, and dynamic RADIUS Proxy is enabled.

 

Is there a default enforcement policy/role that forces profiling that I'm missing, or something that needs to be manually created?

Guru Elite

Re: Profile based enforcement

No. You would need to create a role on the IAP that allows only DHCP and DNS. The in ClearPass, create a role enforcement profile with that role name. Then add a rule at the top of your enforcement policy that says Authorization:[Endpoints Repository] Category NOT_EXISTS and return that enforcement profile.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: