Security

Reply
New Contributor

Using OnGuard for multiple authorizations

Hello,

 

  I'm wondering if something is possible and I'm just missing how to do it.

 

  Ideally, we want to do the following:

 

User logins to 802.1x, based on user directory attributes are given a role. (Staff, Affiliate, etc)

Then, based on their role and other attributes, we decide which role to send to the aruba controllers.

The other attributes should ideally include: Existence of their device in our enterprise inventory system (This is an SQL lookup, already have this piece working); OnGuard health status (AV enable/updated, Firewall enabled/updated); AND whether or not a specific internal application is installed.

 

So User A is staff, their device is in inventory, it's healthy and has the application installed, they get the controller role Staff-Managed-WithApp.  If the app is not installed they get Staff-Managed-Base.  If the device is unhealthy, regardless of App or not, they get Staff-Quarantined.  These roles then control access to various resources internally.

 

My question is.. is this possible?  It doesn't look like it is from what I can see in the OnGuard configuration, but maybe I'm missing something.

Guru Elite

Re: Using OnGuard for multiple authorizations

Yes, but you'll need an interim role to allow for limited access for when
OnGuard is scanning the computer.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
New Contributor

Re: Using OnGuard for multiple authorizations

I think I already have that covered with the role mapping/enforcement profiles.

 

What I don't understand is how to handle the posture tokens so I can say

Healthy Device, WithApp = Posture Token Healthy (0)

Healthy Device, NoApp = Posture Token Whatever (5)

Unhealthy Device, WithApp = Posture Token Quarantine (20)

Unhealthy Device, NoApp = Posture Token Quarantine (20)

 

It seems the options are only based on whether you pass or fail ALL or One or more.  Failing this check is worth 5 points, failing this one is worth 20.

Guru Elite

Re: Using OnGuard for multiple authorizations

You can write individual enforcement rules based on individual OnGuard checks.

 

For example:

posture-applications.PNG


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
New Contributor

Re: Using OnGuard for multiple authorizations

Thanks!  That was the step I didn't know was available.  Off to play.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: