Security

Reply
Occasional Contributor II
Posts: 11
Registered: ‎06-23-2015

Using Aruba CPPM to authenticate a user based on user AND computer AD group membership?

Hi everyone,

 

(Please be warned, I'm extremely new to using Aruba CPPM, so if my question seems painfully basic,  you'll know why.)

 

We have a cluster of 2 CPPM appliances in our environment that have done very basic authentication (EAP-PEAP, MSCHAPv2) across many different domains for wireless access. The way that it is deployed today is as follows:

 

  1. User attempts to join our wireless network.
  2. CPPM identifies the user based on their domain, and then looks to see if they belong to a certain AD user group (this is done within various Role Mappings).
  3. If they belong to this group (varies slightly per-domain), then CPPM grants them the default "Allow Access" profile for RADIUS.

Yes, it's very, very simple. This environment was set up for us many years ago by a consultant, and has seen zero improvement/tweaking since then. As I've inherited it, I'd like to improve upon the level of security we have today, as anyone can bring ANY device into our environment and join it to our corporate wireless network, as long as the user account they use to log in (where required; for example, on an Android device/iPhone) is a member of the proper AD user group.


What I'm interested in doing is requiring a user authentication request to only be permitted if (1) the user him or herself is a member of a specific AD user group, and (2) the computer they are using (corporate-provided) is a member of a specific AD computer group. Does that make sense (I hope)?

 

Please note that we are NOT using Aruba's wireless hardware, or solution of any kind. We're using Cisco Meraki APs that are pointing to Aruba CPPM for RADIUS authentication. So, it's a very limited deployment, Aruba-specific-wise.

 

Presently, I'm struggling with how to identify computers, and their AD group membership. It seems that (given our present configuration) I can only identify user-based attributes, since that is what I'm primarily searching in AD for. But, surely there has to be a way to identify computer AD group membership. I just need a way to identify computer attributes (and the computer the user is using to authenticate) as well.


Please let me know if there is more info I should be providing you that might help you to answer my question here.

 

Many, many thanks for your help in advance.

Guru Elite
Posts: 8,458
Registered: ‎09-08-2010

Re: Using Aruba CPPM to authenticate a user based on user AND computer AD group membership?

This is a fairly advanced scenario. You essentially have to update the endpoint database with a custom attribute that says the computer is the specific group since we can't obtain that information during a user authentication.

Are you working with an Aruba partner?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP
Posts: 517
Registered: ‎05-11-2011

Re: Using Aruba CPPM to authenticate a user based on user AND computer AD group membership?

Hello!

 

As Tim said thats a fairly advanced scenario, tho not necessarily complex to implement.

One reason why you're only seeing User attributes might be that the clients themselves are configured to only do User-authentication. Change a client to do "Machine or User authentication" and you should start getting some more data in Access-Tracker you can use. Theres several guides on this forum for how to work with machine authentication.


Regards
John Solberg

-ACMX #316 :: ACCP-
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Guru Elite
Posts: 8,458
Registered: ‎09-08-2010

Re: Using Aruba CPPM to authenticate a user based on user AND computer AD group membership?

This should help you get started:

 

crescent_rolemap.PNG

 

crescent_enforcement.PNG


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 11
Registered: ‎06-23-2015

Re: Using Aruba CPPM to authenticate a user based on user AND computer AD group membership?

These are both very solid starting points -- thank you both for your help and answers.

 

I need to spend some time playing with the info that a client machine will send CPPM, because as it stands, I'm not getting anywhere near the info I should be getting (as I'm using only "User authentication" under my wireless network's Advanced Settings; I should be using User and machine authentication" instead).

 

Will let you know how I make out. Thanks again, and hope you both have a great weekend.

Occasional Contributor II
Posts: 16
Registered: ‎09-16-2014

Re: Using Aruba CPPM to authenticate a user based on user AND computer AD group membership?

I have a very similar scenerio where i want user authentication and the computer that they are using checked if it has an AD account.

 

Did you get yours working?

Guru Elite
Posts: 8,458
Registered: ‎09-08-2010

Re: Using Aruba CPPM to authenticate a user based on user AND computer AD group membership?

The screenshots above should help you...

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 11
Registered: ‎06-23-2015

Re: Using Aruba CPPM to authenticate a user based on user AND computer AD group membership?

Hey @Goofoff,

 

I only just now began testing this, but so far, I haven't had much luck. One of the issues I'm having right now is how to tell CPPM to check AD, to see if the machine doing the authentication is in the desired AD group. The problem with doing this is, what exactly do I tell CPPM to check based on? In other words, how would CPPM know anything about the machine, other than its MAC address? (It wouldn't.)

 

So, I'm trying to figure out a way to take the endpoint itself (the machine), and then somehow query AD to find out if the machine is in the desired AD group.

 

If anyone has any suggestions... please let me know. I'm pretty stuck at the moment.

Guru Elite
Posts: 8,458
Registered: ‎09-08-2010

Re: Using Aruba CPPM to authenticate a user based on user AND computer AD group membership?

So you're looking to use Machine authentication data during the User authentication?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 11
Registered: ‎06-23-2015

Re: Using Aruba CPPM to authenticate a user based on user AND computer AD group membership?

I should also mention that I'm working through this guide right now, for testing purposes, to see how close it gets me to what I'm after (based on the initial description/overview, it looks really close):

 

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/How-to-Machine-AND-User-Authentication-in-Windows-with-Clearpass/td-p/208471

 

Hope this helps you, @Goofoff.

Search Airheads
Showing results for 
Search instead for 
Did you mean: