06-26-2015 05:35 AM
(Please be warned, I'm extremely new to using Aruba CPPM, so if my question seems painfully basic, you'll know why.)
We have a cluster of 2 CPPM appliances in our environment that have done very basic authentication (EAP-PEAP, MSCHAPv2) across many different domains for wireless access. The way that it is deployed today is as follows:
- User attempts to join our wireless network.
- CPPM identifies the user based on their domain, and then looks to see if they belong to a certain AD user group (this is done within various Role Mappings).
- If they belong to this group (varies slightly per-domain), then CPPM grants them the default "Allow Access" profile for RADIUS.
Yes, it's very, very simple. This environment was set up for us many years ago by a consultant, and has seen zero improvement/tweaking since then. As I've inherited it, I'd like to improve upon the level of security we have today, as anyone can bring ANY device into our environment and join it to our corporate wireless network, as long as the user account they use to log in (where required; for example, on an Android device/iPhone) is a member of the proper AD user group.
What I'm interested in doing is requiring a user authentication request to only be permitted if (1) the user him or herself is a member of a specific AD user group, and (2) the computer they are using (corporate-provided) is a member of a specific AD computer group. Does that make sense (I hope)?
Please note that we are NOT using Aruba's wireless hardware, or solution of any kind. We're using Cisco Meraki APs that are pointing to Aruba CPPM for RADIUS authentication. So, it's a very limited deployment, Aruba-specific-wise.
Presently, I'm struggling with how to identify computers, and their AD group membership. It seems that (given our present configuration) I can only identify user-based attributes, since that is what I'm primarily searching in AD for. But, surely there has to be a way to identify computer AD group membership. I just need a way to identify computer attributes (and the computer the user is using to authenticate) as well.
Please let me know if there is more info I should be providing you that might help you to answer my question here.
Many, many thanks for your help in advance.
Solved! Go to Solution.
06-26-2015 05:53 AM
Are you working with an Aruba partner?
06-26-2015 06:27 AM
As Tim said thats a fairly advanced scenario, tho not necessarily complex to implement.
One reason why you're only seeing User attributes might be that the clients themselves are configured to only do User-authentication. Change a client to do "Machine or User authentication" and you should start getting some more data in Access-Tracker you can use. Theres several guides on this forum for how to work with machine authentication.
-ACMX #316 :: ACCP-
Intelecom - Norway
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
06-26-2015 06:57 AM
06-26-2015 10:51 AM
These are both very solid starting points -- thank you both for your help and answers.
I need to spend some time playing with the info that a client machine will send CPPM, because as it stands, I'm not getting anywhere near the info I should be getting (as I'm using only "User authentication" under my wireless network's Advanced Settings; I should be using User and machine authentication" instead).
Will let you know how I make out. Thanks again, and hope you both have a great weekend.
07-20-2015 05:28 PM
I have a very similar scenerio where i want user authentication and the computer that they are using checked if it has an AD account.
Did you get yours working?
07-20-2015 05:30 PM
11-19-2015 08:04 AM
I only just now began testing this, but so far, I haven't had much luck. One of the issues I'm having right now is how to tell CPPM to check AD, to see if the machine doing the authentication is in the desired AD group. The problem with doing this is, what exactly do I tell CPPM to check based on? In other words, how would CPPM know anything about the machine, other than its MAC address? (It wouldn't.)
So, I'm trying to figure out a way to take the endpoint itself (the machine), and then somehow query AD to find out if the machine is in the desired AD group.
If anyone has any suggestions... please let me know. I'm pretty stuck at the moment.
11-19-2015 08:08 AM
11-19-2015 08:23 AM
I should also mention that I'm working through this guide right now, for testing purposes, to see how close it gets me to what I'm after (based on the initial description/overview, it looks really close):
Hope this helps you, @Goofoff.