Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Restricting who can onboard a device in ClearPass

This thread has been viewed 3 times

  • 1.  Restricting who can onboard a device in ClearPass

    Posted Jun 04, 2012 02:42 PM

    I was wondering if there was a way to restrict who may onboard a device in ClearPass?  I have ClearPass Onboard configured to authenticate users via Active Directory, but it seems that if anyone has an AD account, they'll be able to onboard a device.  If I allow that, things could get out of control really quick.

     

    I'd like to restrict that perhaps to just users in a particular AD group, or some other designator.

     

    Anyone know if that's possible?



  • 2.  RE: Restricting who can onboard a device in ClearPass

    EMPLOYEE
    Posted Jun 04, 2012 02:54 PM

    One way you could do this is to enable an authorization source and check an AD group for the initial registration auth to go through:

     

    Untitled.png

     

     



  • 3.  RE: Restricting who can onboard a device in ClearPass

    Posted Jun 04, 2012 03:16 PM

    If you wish to perform this authorization check directly from the Onboard server, you can place a conditional expersion in the Authorization section of your Active Directory Authentication Server.

     

    Onboard autz.jpg

     

    In the Code field, enter the following PHP logic to check if the Active Directory authenticated user is a member of a sample BYOD group. As can be seen from the PHP code, the fully qualified name for the group must be changed to match the local deployment, and the user role is specified using the role ID of 3 in the return statement.

     

    The User Role id can be verified by browsing to RADIUS > User Roles and referencing the left most ID column to select the appropriate role for users belonging to this AD group.

     

    Hope this helps

     

    Cam.



  • 4.  RE: Restricting who can onboard a device in ClearPass

    Posted Jun 04, 2012 04:41 PM

    Thanks Colin and Cam.  Those are both great suggestions.  I'm not really familiar with what you can do with a role in Clearpass Onboard, so I went ahead and used Colin's suggestion.

     

    What I did was made a role/role mapping that if memberOf NOT Contains BYOD AND your authentication source is AD, then your role is NOT BYOD Onboarder.  In Enforcement, if your role is NOT BYOD Onboader, then your returned Aruba role is No-Onboarding.  That Aruba role directs the user to a ClearPass page that says you're not allowed to onboard.

     

    Now, my problem is, CPPM seems to only pick up the AD groups in the first authentication and then always sticks with that.  So, if I have a user that's not in the BYOD group, he gets put in the NOT BYOD Onboarder role, which is correct.  But, if I add the user to that group, CPPM doesn't get that group membership.  The opposite happens as well.  If a user is in BYOD, CPPM picks that up the first time and allows the user to onboard.  But, if I remove them from that group, CPPM seems to still think they're in that group.



  • 5.  RE: Restricting who can onboard a device in ClearPass

    Posted Jun 04, 2012 05:46 PM

    So, I found that if I reboot the CPPM VM, correct role gets applied based on AD group membership.  But, it's only once.  If I change a user's group membership, I have to reboot CPPM to get the correct role applied.

     

    Using cached roles is disabled in enforcement, but CPPM must be caching something.  I suppose I'll open a case to figure this one out.



  • 6.  RE: Restricting who can onboard a device in ClearPass
    Best Answer

    EMPLOYEE
    Posted Jun 04, 2012 08:08 PM

    Navigate to Configuration » Authentication » Sources screen, click on the AD authentication

    Source to edit it and click on Clear Cache button.

     

    You can also set "Cache Timeout" to 0 seconds for your AD Authentication Source.  You should find this setting when you edit your AD Authentication Source. 

     



  • 7.  RE: Restricting who can onboard a device in ClearPass

    Posted Jun 05, 2012 11:56 AM

    Setting the cache timeout to "0" worked perfectly.  Thanks Colin.



  • 8.  RE: Restricting who can onboard a device in ClearPass

    EMPLOYEE
    Posted Jul 23, 2014 04:37 AM
    @cjoseph wrote:

    One way you could do this is to enable an authorization source and check an AD group for the initial registration auth to go through:

     

    Untitled.png

     

     

    What service would you define this rule?  Would it be in the PreAuth or Authorization service for the oboard?

     

    I'm looking to define a rule for a customer that allows all users to onboard, but only devices that are corporate owned and MDM managed.  The clearpass is currently integrated with their Airwatch.

     

    I guess the rule would be something like 

     

    Authorization:Enpoint: Ownership=Corporate and Authorization:Endpoint:MDM Enabled = True then Role=Register-Device



  • 9.  RE: Restricting who can onboard a device in ClearPass

    Posted Sep 17, 2014 05:23 PM

    I am also confused as to where to add the group membership check. I used the the onboard template to create my onboarding service. right now it allows anyone in ad to onboard. I want to restrict it to the user has to be a member of a certian group, ie byod_group. 

    Can anyone help shed some light on the best location for this check?

    thanks again,

    j



  • 10.  RE: Restricting who can onboard a device in ClearPass

    EMPLOYEE
    Posted Sep 17, 2014 05:32 PM
    In your onboard authorization service enforcement profile.

    Use ad as your authorization source and say groups equals , allow access profile.