Security

Reply
Occasional Contributor I
Posts: 6
Registered: ‎09-09-2011

Role Derivation with Onboarding.

Hi Guys.

 

I´ve configure OnBording with Aruba Controller, I tested and it work fine but just with authenticated role, now i want to go beyond, I wanna do role derivation, but at this time I can´t make it works.

 

I want send back to controller 5 diferent user role but diferentiate computer from smartdevices,

I´m using local user database. then I create users locally, the roles directors, coordinators, systems, administrator were assigned to diferent users.

 

I dont´t know if i have to modify the default ONBORDING post provisoning enforcement profile

 someone could enlighten me about this topic.

 

thanks.

Guru Elite
Posts: 21,260
Registered: ‎03-29-2007

Re: Role Derivation with Onboarding.

lcornelio,

 

What you can do will depend on the service that have already configured to authenticate onboarded clients, as well as what information is being returned from that authentication.  If the onboarded device is being profiled during onboarding and there is an OS or OS category for that device in ClearPass, you can use a role mapping policy to later trigger an enforcement policy that sends an enforcement profile that would set the Aruba role during authentication.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 4,301
Registered: ‎07-20-2011

Re: Role Derivation with Onboarding.

[ Edited ]

You may have done this already but in order for ClearPass to get the device fingerprint you need add ClearPass IP address as a DHCP relay under the SVI on your Core or Distribution switch or where that SVI leaves

 

interface vlan 2

ip address 192.168.2.1 255.255.255.0

ip helper-address <ClearPass Server Address>

You need to add the Endpoint Database as an Authorization Source.

2014-12-05 09_55_11-ClearPass Policy Manager - Aruba Networks.png

Then you create a rule with a condition that
authorization : endpoint database > category > SmartDevice or Computer

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
MVP
Posts: 4,301
Registered: ‎07-20-2011

Re: Role Derivation with Onboarding.

Here's an example:

 

2014-12-04 07_40_24-Chrome Remote Desktop.png

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor I
Posts: 6
Registered: ‎09-09-2011

Re: Role Derivation with Onboarding.

HI Vic.

 

 

thanks for your response, let me firt this is my first experience with clearpass, I configure the SERVICE with ONBOARD wizard, this wizard generate 3 services.

 

Captura de pantalla 2014-12-05 a las 10.04.17.png

 

I understand the last ONBOARDING provisioning is the service that send back the User-role to the controller, I think I must clone this last one profile and make it changes.

 

I´ve already configure the dhcp relay in the controller vlan1 to clearpass dhcp broadcast.

 

let me show you in order what I did with images.

 

firts I create a test user : galeman with role : SISTEMAS and SISTEMAS-DEP attribute

 

 

 

Captura de pantalla 2014-12-05 a las 10.24.36.png

 

 

Then I created a  Role Mapping like this one. ( at this point it was missing endpoint repository like a Authorization source in the service ) . now I add endpoint repository like a authentication source

 

 

 

Captura de pantalla 2014-12-05 a las 10.32.10.png

this Role mapping was added to ONBOARDING post-provisioning service.

 

 

Captura de pantalla 2014-12-05 a las 10.37.56.png

 

the enforcement policy used her  is the default generated by the wizard.

 

 

Captura de pantalla 2014-12-05 a las 10.45.40.png

 

               

the enforcement policy  generated by the wizard is this one

 

 

Captura de pantalla 2014-12-05 a las 10.47.10.png

 

the allow access profile is just a RADIUS-ACEPT and WIIMAS-ONBOARD post provisioning 

send back the autenticated role to the controller.

 

Captura de pantalla 2014-12-05 a las 10.51.41.png

 

 

 

the other enforcement profile.

 

Captura de pantalla 2014-12-05 a las 10.52.47.png

 

I understand that role mapping and posture define the enforcement policy and this last one is defined by enforcement profile.

 

 

about the answer you sent fabian about the rules, I think I must generate a new enforcement profile with the rules like yours, is correct ? , If you see something wrong let me know. please any advice will be wellcome.

 

 

 

MVP
Posts: 4,301
Registered: ‎07-20-2011

Re: Role Derivation with Onboarding.

about the answer you sent fabian about the rules, I think I must generate a new enforcement profile with the rules like yours, is correct ? , If you see something wrong let me know. please any advice will be wellcome.

 

Yeah you create your own enforcement policy to match the flow of your preference.

 

But before you do that you should create the different enforcement profile you need ( either to send a VLAN or Role) based on a certain criteria.

 

 

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Search Airheads
Showing results for 
Search instead for 
Did you mean: