Security

Reply
MVP

Using ClearPass guest device registration for additional authorization of 802.1X devices

I'm looking to enhance our existing 802.1X service. We place all devices into a shared pool. I've built device registration using ClearPass guest. What I'm looking to do is leverage the device registration so that when an 802.1X authentication completes successfully, ClearPass looks to see if it is a registered device and if so, implement policy based on that registration.

 

I've added the "[Guest Device Repository]" as an additional authorization source, and also tried adding a reference to the Guest Device Repository in my role mapping. However it seems the only attributes pulled out of the guest device repository are "Account Status" and "Sponsor Name". Is it expected that I add additional SQL filters to the [Guest Device Repository] in order to leverage the other items used in the guest registration page(s)? In <6.3.x, I could see all the attributes associated with a registered device from CPPM's perspective. Now that the "Guest Users" and "Guest Devices" has been removed, the CPPM perspective of atributes is invisible to me.

 

How is it suggested I make this work?

==========
Ryan Holland, ACDX #1 ACMX #1
The Ohio State University
Guru Elite

Re: Using ClearPass guest device registration for additional authorization of 802.1X devices

Add the Guest User Repository.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP

Re: Using ClearPass guest device registration for additional authorization of 802.1X devices

That has no effect.
==========
Ryan Holland, ACDX #1 ACMX #1
The Ohio State University

Re: Using ClearPass guest device registration for additional authorization of 802.1X devices

You could apply a custom attribute (Post Authentication Enforcement Profile)  "Register=Yes" to the Endpoint database on the Service you are using to Guest registration page  and once the device gets register and then use that attribute to make any decisions

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Guru Elite

Re: Using ClearPass guest device registration for additional authorization of 802.1X devices

Ryan - When you add the Guest User Repository, you should be able to use all of these attributes:

 

guest-user.png


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP

Re: Using ClearPass guest device registration for additional authorization of 802.1X devices

Ah, I was using the "Authorization:[Guest User Repository]" instead of just "GuestUser". Thanks for pointing that out. I'll play around with this now and should be able to get it to work.

==========
Ryan Holland, ACDX #1 ACMX #1
The Ohio State University
MVP

Re: Using ClearPass guest device registration for additional authorization of 802.1X devices

Old post, but.. Did you ever get this to work - and if so - how? I'm looking at the exact same scenario..

I'm not getting any GuestUser values to use for authorization.


Regards
John Solberg

-ACMX #316 :: ACCP :: ACSA
Aruba Partner Ambassador
Intelecom Group - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
MVP

Re: Using ClearPass guest device registration for additional authorization of 802.1X devices

 

Been trying this back and forth with no success. Contacted Aruba TAC and still unable to get this to work.

 

So - I'm down to using Static Host List instead, which works - even tho it's not ideal.

 

If this is doable - please share the details ;)


Regards
John Solberg

-ACMX #316 :: ACCP :: ACSA
Aruba Partner Ambassador
Intelecom Group - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
MVP

Re: Using ClearPass guest device registration for additional authorization of 802.1X devices

Sorry you're having issues. I just looked in my lab and with "GuestUser", I have all the custom attributes I created (e.g., "osu_affiliation"). See the screen shot.

Screen Shot 2015-10-29 at 12.30.18 PM.png

 

I also went into the guest side for that field and took screen shots in hopes that it helps you. Perhaps it has to be a certain type of field (e.g., string)?

Screen Shot 2015-10-29 at 12.31.18 PM.png

Screen Shot 2015-10-29 at 12.31.29 PM.png 

 

==========
Ryan Holland, ACDX #1 ACMX #1
The Ohio State University
MVP

Re: Using ClearPass guest device registration for additional authorization of 802.1X devices

Thanks for the reply Ryan.

Problem isn't to create the rule, but actually getting those attributes during the auth process for the rule to match against.

 

In my service I've added both [Guest device repository] and [Guest User Repository] as Authorization sources. AD is authentication/authorization source.

I created the device in Guest as Guest Device (with a custom field).

 

Connecting the device to the 802.1x SSID triggers the service and all wanted attributes from AD and [Guest Device Repository]. No attributes are available/visible in Access Tracker from [Guest User Repository], and thus the rule can not get a match for them.

 

So I'm wondering what else you had to do to actually get those attributes 

 


Regards
John Solberg

-ACMX #316 :: ACCP :: ACSA
Aruba Partner Ambassador
Intelecom Group - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: