Security

Reply
Occasional Contributor II
Posts: 10
Registered: ‎12-05-2011

Segregate different companies on same ClearPass

[ Edited ]

As a service provider we have multiple companies running on our controller and clearpass instalation within our office building.

We're looking for a good way to segregate the different companies in the same MAC auth database. Where we're at currently:

- 1 controller and 1 clearpass, all SSIDes are up currently no-auth.

- Roles for each company defined in clearpass and added to [Guest Roles] so they show up in guest part of Clearpass.

 

The idea now is to create users manually in Guest and define each user with a role (CompanyA_users CompanyB_users etc).

Create a service based on the "Guest Authentication with MAC Caching" wizard for each company as well as a web page for the initial web login for each company (or maybe just 1 page?).

 

But from here on out I'm a bit unsure about the correct approach.. By default now without doing anything, CompanyA_users will be able to log on to the web page, get theire MAC address cached and then access theire SSID with MAC-Auth, however they will also be able to log on to any other SSID on the controller that also uses MAC-Auth.

Meaning CompanyA_users can just doubleclick the SSID of CompanyB and gain access.

 

My initial though was tick the "Customize attributes stored with the endpoint" in the WebLogin and maybe use the e-mail address in the ClearPass service, but that limits things a bit as there MIGHT be cases where they want to add users outside theire organization and we would need to edit the service each time.

Maybe can use the role I assign the users with during account creation (CompanyA_users "mapped" to CompanyA SSID)? If so, how? :)

Guru Elite
Posts: 8,185
Registered: ‎09-08-2010

Re: Segregate different companies on same ClearPass

You can use a combination of customer role IDs and custom endpoint attributes to accomplish this.


Thanks,
Tim

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Occasional Contributor II
Posts: 10
Registered: ‎12-05-2011

Re: Segregate different companies on same ClearPass

Yeah, anything more specific? :) I guess im on the right track, just not 100% sure about the details.

For example, should I pick up something with "Customize attributes stored with the endpoint" under web logins, if so what?

Hunting a bit of detailed explenation or if someone has a link to a step-by-step guid/explenation that would be great as well.

Guru Elite
Posts: 8,185
Registered: ‎09-08-2010

Re: Segregate different companies on same ClearPass

In your role guest roles role mapping add in a new guest role for each company.

Modify your registration pages to use that guest ID.

Update your enforcement policies to use the new role IDs.

Are you working with an Aruba Partner?





Thanks,
Tim

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Occasional Contributor II
Posts: 10
Registered: ‎12-05-2011

Re: Segregate different companies on same ClearPass

We are an (small) Aruba Partner, but ClearPass is a new field of "interest" so on a quite steap learning curve here - love it - :)

 

I'll setup a couple different test SSIDes with using role/roleID to see how it goes, thanks for the pointer.

 

-Helge

Occasional Contributor II
Posts: 10
Registered: ‎12-05-2011

Re: Segregate different companies on same ClearPass

This worked fine. Didnt have to add any attributes in the web login.

Just differencing on the roles and enforcement for each service.

Not sure I need all of this, but it seem to give me what I wanted, a segregation of different companies on same controller/clearpass in same MAC/user database.

 

Jumping between SSIDes sends me to Captive Portal for login, jumping back to previous SSID without logging in on CP page logges me in directly (MAC auth shows in Access Tracker).

Jumping back to previous SSID after CP login redirects me to CP page and access denied for MAC auth shows in access tracker.

 

MAC auth service

Roles: Role ID 4 gives role CustomerA_users

Enforcement:

Conditions ---- Enforcement Profiles
1. (Tips:Role MATCHES_ALL [MAC Caching][User Authenticated] CustomerA_users) ----- [Allow Access Profile], CustomerA Employee Profile
2. (GuestUser:Role ID EQUALS 4) ---- [Allow Access Profile], CustomerA Captive Portal Profile

 

Captive portal inital login:

Roles: Role ID 4 gives role CustomerA_users

Enforcement:

Conditions ---- Enforcement Profiles
1. (Authorization:[Endpoints Repository]:Unique-Device-Count GREATER_THAN 4) ---- [Deny Access Profile]
2. (GuestUser:Role ID EQUALS 4)
 AND  (Date:Day-of-Week BELONGS_TO Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday ---- CustomerA MAC Caching Session Timeout, CustomerA MAC Caching Bandwidth Limit, CustomerA MAC Caching Session Limit, CustomerA Employee MAC Caching, [Update Endpoint Known], CustomerA MAC Caching Do Expire, CustomerA MAC Caching Expire Post Login, CustomerA Employee Profile

Search Airheads
Showing results for 
Search instead for 
Did you mean: