Security

Reply
Frequent Contributor I

Security concerns about sharing QuickConnect file

Hello community,

 

We're having some concerns regarding the sharing of ClearPass QuickConnect file between Windows machines. As we have tested, after login succesfully at the onboard portal, a user (let's say user1) is prompted to downoad a QuickConnect file and use that file to install profile on his machine. He will then have a certificate with CN = user1 and MAC = user1's machine. If user1 shares that QuickConnect file with user2 and user2 runs that file on his machine, he will also have a certificate with CN = user1, but MAC = user2's machine.

 

How do we prevent this situation from happening? Is there a way to construct a policy on CPPM to stop it?

 

Thank you,

Frequent Contributor I

Re: Security concerns about sharing QuickConnect file

Hi all,

 

I believe I have a working solution for this issue. Will do more testing later.

 

1) At the Onboard Authorization rule, add a Post_Authentication enforcement profile (along with [Allow Application Access Profile]) to add a new attribute: Endpoint:Username = %{Authentication:Username}

 

2) Add the following rules to role mapping:

         Endpoint:Username  NOT_EXISTS 

OR   Endpoint:Username  NOT_EQUALS  %{Certificate:Subject-CN}

--> assign role "Invalid Certificate"

 

3) On the enforcement policy, add the following rule:

    Tips:Role  EQUALS  Invalid Certificate  --> [Deny Access Profile]

 

Thank you,

Frequent Contributor I

Re: Security concerns about sharing QuickConnect file

Hi all,

 

Actually it didn't work as I expected. I cannot add a new Endpoint attribute during onboard process, as described above. Is there any way to do it (update Endpoint attribute during onboard)?

 

Thank you,

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: