Security

Reply
Aruba Employee
Posts: 509
Registered: ‎07-03-2008

Restricting who can onboard a device in ClearPass

I was wondering if there was a way to restrict who may onboard a device in ClearPass?  I have ClearPass Onboard configured to authenticate users via Active Directory, but it seems that if anyone has an AD account, they'll be able to onboard a device.  If I allow that, things could get out of control really quick.

 

I'd like to restrict that perhaps to just users in a particular AD group, or some other designator.

 

Anyone know if that's possible?

Guru Elite
Posts: 19,982
Registered: ‎03-29-2007

Re: Restricting who can onboard a device in ClearPass

One way you could do this is to enable an authorization source and check an AD group for the initial registration auth to go through:

 

Untitled.png

 

 

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Moderator
Posts: 150
Registered: ‎11-14-2011

Re: Restricting who can onboard a device in ClearPass

If you wish to perform this authorization check directly from the Onboard server, you can place a conditional expersion in the Authorization section of your Active Directory Authentication Server.

 

Onboard autz.jpg

 

In the Code field, enter the following PHP logic to check if the Active Directory authenticated user is a member of a sample BYOD group. As can be seen from the PHP code, the fully qualified name for the group must be changed to match the local deployment, and the user role is specified using the role ID of 3 in the return statement.

 

The User Role id can be verified by browsing to RADIUS > User Roles and referencing the left most ID column to select the appropriate role for users belonging to this AD group.

 

Hope this helps

 

Cam.

Aruba Employee
Posts: 509
Registered: ‎07-03-2008

Re: Restricting who can onboard a device in ClearPass

[ Edited ]

Thanks Colin and Cam.  Those are both great suggestions.  I'm not really familiar with what you can do with a role in Clearpass Onboard, so I went ahead and used Colin's suggestion.

 

What I did was made a role/role mapping that if memberOf NOT Contains BYOD AND your authentication source is AD, then your role is NOT BYOD Onboarder.  In Enforcement, if your role is NOT BYOD Onboader, then your returned Aruba role is No-Onboarding.  That Aruba role directs the user to a ClearPass page that says you're not allowed to onboard.

 

Now, my problem is, CPPM seems to only pick up the AD groups in the first authentication and then always sticks with that.  So, if I have a user that's not in the BYOD group, he gets put in the NOT BYOD Onboarder role, which is correct.  But, if I add the user to that group, CPPM doesn't get that group membership.  The opposite happens as well.  If a user is in BYOD, CPPM picks that up the first time and allows the user to onboard.  But, if I remove them from that group, CPPM seems to still think they're in that group.

Aruba Employee
Posts: 509
Registered: ‎07-03-2008

Re: Restricting who can onboard a device in ClearPass

So, I found that if I reboot the CPPM VM, correct role gets applied based on AD group membership.  But, it's only once.  If I change a user's group membership, I have to reboot CPPM to get the correct role applied.

 

Using cached roles is disabled in enforcement, but CPPM must be caching something.  I suppose I'll open a case to figure this one out.

Guru Elite
Posts: 19,982
Registered: ‎03-29-2007

Re: Restricting who can onboard a device in ClearPass

Navigate to Configuration » Authentication » Sources screen, click on the AD authentication

Source to edit it and click on Clear Cache button.

 

You can also set "Cache Timeout" to 0 seconds for your AD Authentication Source.  You should find this setting when you edit your AD Authentication Source. 

 

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Aruba Employee
Posts: 509
Registered: ‎07-03-2008

Re: Restricting who can onboard a device in ClearPass

Setting the cache timeout to "0" worked perfectly.  Thanks Colin.

Aruba
Posts: 1,279
Registered: ‎08-29-2007

Re: Restricting who can onboard a device in ClearPass

[ Edited ]

cjoseph wrote:

One way you could do this is to enable an authorization source and check an AD group for the initial registration auth to go through:

 

Untitled.png

 

 


What service would you define this rule?  Would it be in the PreAuth or Authorization service for the oboard?

 

I'm looking to define a rule for a customer that allows all users to onboard, but only devices that are corporate owned and MDM managed.  The clearpass is currently integrated with their Airwatch.

 

I guess the rule would be something like 

 

Authorization:Enpoint: Ownership=Corporate and Authorization:Endpoint:MDM Enabled = True then Role=Register-Device


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACMP, ACMX #294
mclarke@arubanetworks.com
Occasional Contributor I
Posts: 6
Registered: ‎08-07-2014

Re: Restricting who can onboard a device in ClearPass

[ Edited ]

I am also confused as to where to add the group membership check. I used the the onboard template to create my onboarding service. right now it allows anyone in ad to onboard. I want to restrict it to the user has to be a member of a certian group, ie byod_group. 

Can anyone help shed some light on the best location for this check?

thanks again,

j

Guru Elite
Posts: 7,844
Registered: ‎09-08-2010

Re: Restricting who can onboard a device in ClearPass

In your onboard authorization service enforcement profile.

Use ad as your authorization source and say groups equals , allow access profile.

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Search Airheads
Showing results for 
Search instead for 
Did you mean: