Security

Reply
Occasional Contributor II
Posts: 13
Registered: ‎03-09-2014

Wired On-board question

Currently, we are onboarding all of our wired and wireless devices.  The issue we have is users that have never been authenticated to a machine before.

 

We have a url-redirect for onboarding.  They will mac authenticate onto the network, the following is the ACL currently in place

 

deny tcp any host <clearpass server>

deny ip any host < domain controller>

permit tcp any any eq www

permit tcp any any ew 443

 

 

I see hits on the acl for the domain controller, but windows still replies that the domain controller is not available.  Any ideas?

Guru Elite
Posts: 8,456
Registered: ‎09-08-2010

Re: Wired On-board question

If you need users to be able to log into the computer, you need to ALLOW traffic to the domain controllers, not block it.

 

Just curious, why are you onboarding devices that are domain-joined (in your control)?

 


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 13
Registered: ‎03-09-2014

Re: Wired On-board question

It was requested from above for uniformity.  They want all devices onboarded.  We are using PEAP instead for multi-user machines.  

 

QuickConnect doesnt seem to provision PEAP very well though.  We want it to do both user and machine auth, and want it to use the windows credentials.  I am having to configure those settings after the fact.

 

 

Maybe I am not understanding how url-redirect acls work. 

 

I though anything permitted by the ACL is the traffic that gets redirected rather than passing.  Thus on mine only http and https traffic would be re-directed and other traffic would pass as normal.

Guru Elite
Posts: 8,456
Registered: ‎09-08-2010

Re: Wired On-board question

QuickConnect is designed for BYOD devices. You will need to configure a separate provisioning setup for domain computers then figure out how to assign that profile to the machines. This could get very complex trying to combine user/machine auth with Onboard.

What kind of switch?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 13
Registered: ‎03-09-2014

Re: Wired On-board question

Cisco 3560 PoE 8 port running 12.2(55.3)SE8ES

MVP
Posts: 371
Registered: ‎01-14-2010

Re: Wired On-board question

Hi Sburnside1,

 

Are you able to get the Onboard Captive Portal to redirect when you plug into a switch port?

 

Thanks!

 

-Mike

Guru Elite
Posts: 8,456
Registered: ‎09-08-2010

Re: Wired On-board question

Your ACL looks correct (for a Cisco switch).

 

How many domain controllers do you have? Do you have either an object group with all of your DCs or an ACE entry for each DC? 

 

Also, are your DNS and DHCP servers on the DCs? If not, you'll need to allow those as well.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 13
Registered: ‎03-09-2014

Re: Wired On-board question

After testing with one already logged in.  I realized the issue.  with port 443 redirecting as well, it prevented the login from happening.  The acl only needed to be the following:

 

deny tcp any host <clearpass ip>

permit tcp any any eq www

 

the permitting of 443 was cauing that traffic not to hit its destination.  I thinned the ACL back to the basics and it now works.

Contributor I
Posts: 25
Registered: ‎11-25-2013

Re: Wired On-board question

[ Edited ]

Hi sburnside1,

 

I have a similar wired redirect setup as you have described. Have you had any issues with a delay in the redirect? For instance if you open a web browser, it takes a few seconds before the redirect page comes up? 

 

Thanks,

Occasional Contributor II
Posts: 78
Registered: ‎06-03-2014

Re: Wired On-board question

can someone please advise me how to do redirect for both wired and wireless? thanks

Search Airheads
Showing results for 
Search instead for 
Did you mean: