Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Segregate different companies on same ClearPass

This thread has been viewed 2 times

  • 1.  Segregate different companies on same ClearPass

    Posted May 19, 2015 03:34 AM

    As a service provider we have multiple companies running on our controller and clearpass instalation within our office building.

    We're looking for a good way to segregate the different companies in the same MAC auth database. Where we're at currently:

    - 1 controller and 1 clearpass, all SSIDes are up currently no-auth.

    - Roles for each company defined in clearpass and added to [Guest Roles] so they show up in guest part of Clearpass.

     

    The idea now is to create users manually in Guest and define each user with a role (CompanyA_users CompanyB_users etc).

    Create a service based on the "Guest Authentication with MAC Caching" wizard for each company as well as a web page for the initial web login for each company (or maybe just 1 page?).

     

    But from here on out I'm a bit unsure about the correct approach.. By default now without doing anything, CompanyA_users will be able to log on to the web page, get theire MAC address cached and then access theire SSID with MAC-Auth, however they will also be able to log on to any other SSID on the controller that also uses MAC-Auth.

    Meaning CompanyA_users can just doubleclick the SSID of CompanyB and gain access.

     

    My initial though was tick the "Customize attributes stored with the endpoint" in the WebLogin and maybe use the e-mail address in the ClearPass service, but that limits things a bit as there MIGHT be cases where they want to add users outside theire organization and we would need to edit the service each time.

    Maybe can use the role I assign the users with during account creation (CompanyA_users "mapped" to CompanyA SSID)? If so, how? :)



  • 2.  RE: Segregate different companies on same ClearPass

    EMPLOYEE
    Posted May 19, 2015 07:33 AM
    You can use a combination of customer role IDs and custom endpoint attributes to accomplish this.


    Thanks,
    Tim


  • 3.  RE: Segregate different companies on same ClearPass

    Posted May 19, 2015 08:17 AM

    Yeah, anything more specific? :) I guess im on the right track, just not 100% sure about the details.

    For example, should I pick up something with "Customize attributes stored with the endpoint" under web logins, if so what?

    Hunting a bit of detailed explenation or if someone has a link to a step-by-step guid/explenation that would be great as well.



  • 4.  RE: Segregate different companies on same ClearPass
    Best Answer

    EMPLOYEE
    Posted May 19, 2015 08:25 AM
    In your role guest roles role mapping add in a new guest role for each company.

    Modify your registration pages to use that guest ID.

    Update your enforcement policies to use the new role IDs.

    Are you working with an Aruba Partner?





    Thanks,
    Tim


  • 5.  RE: Segregate different companies on same ClearPass

    Posted May 19, 2015 12:30 PM

    We are an (small) Aruba Partner, but ClearPass is a new field of "interest" so on a quite steap learning curve here - love it - :)

     

    I'll setup a couple different test SSIDes with using role/roleID to see how it goes, thanks for the pointer.

     

    -Helge



  • 6.  RE: Segregate different companies on same ClearPass

    Posted May 20, 2015 05:29 AM

    This worked fine. Didnt have to add any attributes in the web login.

    Just differencing on the roles and enforcement for each service.

    Not sure I need all of this, but it seem to give me what I wanted, a segregation of different companies on same controller/clearpass in same MAC/user database.

     

    Jumping between SSIDes sends me to Captive Portal for login, jumping back to previous SSID without logging in on CP page logges me in directly (MAC auth shows in Access Tracker).

    Jumping back to previous SSID after CP login redirects me to CP page and access denied for MAC auth shows in access tracker.

     

    MAC auth service

    Roles: Role ID 4 gives role CustomerA_users

    Enforcement:

    Conditions ---- Enforcement Profiles
    1. (Tips:Role MATCHES_ALL [MAC Caching][User Authenticated] CustomerA_users) ----- [Allow Access Profile], CustomerA Employee Profile
    2. (GuestUser:Role ID EQUALS 4) ---- [Allow Access Profile], CustomerA Captive Portal Profile

     

    Captive portal inital login:

    Roles: Role ID 4 gives role CustomerA_users

    Enforcement:

    Conditions ---- Enforcement Profiles
    1. (Authorization:[Endpoints Repository]:Unique-Device-Count GREATER_THAN 4) ---- [Deny Access Profile]
    2. (GuestUser:Role ID EQUALS 4)
     AND  (Date:Day-of-Week BELONGS_TO Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday ---- CustomerA MAC Caching Session Timeout, CustomerA MAC Caching Bandwidth Limit, CustomerA MAC Caching Session Limit, CustomerA Employee MAC Caching, [Update Endpoint Known], CustomerA MAC Caching Do Expire, CustomerA MAC Caching Expire Post Login, CustomerA Employee Profile