Security

Reply
New Contributor
Posts: 4
Registered: ‎07-08-2014

Using OnGuard for multiple authorizations

Hello,

 

  I'm wondering if something is possible and I'm just missing how to do it.

 

  Ideally, we want to do the following:

 

User logins to 802.1x, based on user directory attributes are given a role. (Staff, Affiliate, etc)

Then, based on their role and other attributes, we decide which role to send to the aruba controllers.

The other attributes should ideally include: Existence of their device in our enterprise inventory system (This is an SQL lookup, already have this piece working); OnGuard health status (AV enable/updated, Firewall enabled/updated); AND whether or not a specific internal application is installed.

 

So User A is staff, their device is in inventory, it's healthy and has the application installed, they get the controller role Staff-Managed-WithApp.  If the app is not installed they get Staff-Managed-Base.  If the device is unhealthy, regardless of App or not, they get Staff-Quarantined.  These roles then control access to various resources internally.

 

My question is.. is this possible?  It doesn't look like it is from what I can see in the OnGuard configuration, but maybe I'm missing something.

Guru Elite
Posts: 8,036
Registered: ‎09-08-2010

Re: Using OnGuard for multiple authorizations

Yes, but you'll need an interim role to allow for limited access for when
OnGuard is scanning the computer.

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
New Contributor
Posts: 4
Registered: ‎07-08-2014

Re: Using OnGuard for multiple authorizations

I think I already have that covered with the role mapping/enforcement profiles.

 

What I don't understand is how to handle the posture tokens so I can say

Healthy Device, WithApp = Posture Token Healthy (0)

Healthy Device, NoApp = Posture Token Whatever (5)

Unhealthy Device, WithApp = Posture Token Quarantine (20)

Unhealthy Device, NoApp = Posture Token Quarantine (20)

 

It seems the options are only based on whether you pass or fail ALL or One or more.  Failing this check is worth 5 points, failing this one is worth 20.

Guru Elite
Posts: 8,036
Registered: ‎09-08-2010

Re: Using OnGuard for multiple authorizations

You can write individual enforcement rules based on individual OnGuard checks.

 

For example:

posture-applications.PNG


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
New Contributor
Posts: 4
Registered: ‎07-08-2014

Re: Using OnGuard for multiple authorizations

Thanks!  That was the step I didn't know was available.  Off to play.

Search Airheads
Showing results for 
Search instead for 
Did you mean: