Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

clearPass - Assign authenticated user (in AD) with user roles and VLANs

This thread has been viewed 11 times

  • 1.  clearPass - Assign authenticated user (in AD) with user roles and VLANs

    Posted Oct 22, 2013 09:48 PM

    Hi All, I'm hoping you can help with the issue I'm having

    I setup clearPass 6.2 and 801.1x service and one SSID for both student and staff and authenticate them through Active Directory.

    I want users to connect to the SSID, put in their AD credentials and based on their user group within AD, they will be assgined with Staff or Student Roles and  have their own VLANs (staff & student vlan).

    I got the user successfully connected to SSID and authenticated, but the role mapping I have only assign them with one default role. How do I make the role mapping to regconise correct user group in AD and map a correct role? then correct VLAN IP?

     

    Thankyou

    Tuan

    dot1x aruba wireless service.jpg

     

    Role Mappings.jpg



  • 2.  RE: clearPass - Assign authenticated user (in AD) with user roles and VLANs

    EMPLOYEE
    Posted Oct 22, 2013 10:00 PM

    You'll want to use the "MemberOf" attribute to map each group to the appropriate TIPS role (which you can create). Then in the enforcement profile, you tell it what actions to take based on the TIPS role. Think of the TIPS roles as "tagged" attributes in ClearPass that you can reference later to make policy decisions.

     

    Here's the "flow"

     

    ROLE MAPPING

    [AD Group] >>>> [TIPS Role]

     

    ENFORCEMENT PROFILE

    [TIPS Role] >>>> [Enforcement Policy]

     

    ENFORCEMENT POLICY

    [Enforcement Policy]  ===== Actions you want to take  (assign VLAN, return user role, etc)



  • 3.  RE: clearPass - Assign authenticated user (in AD) with user roles and VLANs

    EMPLOYEE
    Posted Oct 22, 2013 10:00 PM

    So a couple different things. 

     

    1. If you are are going to do roles you will need to make a condition that states 

     

     

    role.png

     

     

    2. Your enforcement can be a simple tips--role--contains--student gets role a or VLAN a

     

    role2.png

     

    OR If you are not using a different authz source than the AD or LDAP you can skip the role mapping and use a simple

     

    role3.png



  • 4.  RE: clearPass - Assign authenticated user (in AD) with user roles and VLANs

    Posted Oct 23, 2013 12:44 AM

    Thankyou, I got it to map the correct role, but the vlan mapping is not working, I created one enforcement policy like what you showed that map VLAN 58 for staff and VLAN 64 for students (see pics. But when users connect to and get their role. Only VLAN58 IP addresses got assigned regardless staff or students. Where did I miss?

     

    Enforcement Policy

    Enforcement Policy.jpg

     

    Enforcement Profile

    Enforcement profile - VLAN58.jpg

     

    Thankyou

    Tuan



  • 5.  RE: clearPass - Assign authenticated user (in AD) with user roles and VLANs

    EMPLOYEE
    Posted Oct 23, 2013 12:52 AM
    In access tracker can you post a screen shot of the student. The first tab should show what role the user is getting assigned


  • 6.  RE: clearPass - Assign authenticated user (in AD) with user roles and VLANs

    EMPLOYEE
    Posted Oct 23, 2013 12:54 AM
    And also your role mapping in the service. How are you assigning the role of student or employee


  • 7.  RE: clearPass - Assign authenticated user (in AD) with user roles and VLANs

    Posted Oct 23, 2013 01:02 AM

    Hi, I attached the access tracker and the role assignment in 802.1x service. I noticed in the access tracker has enforcement profile as blank even though I did set enforcement profile in the service?

     

    ROLE MAPPING IN 802.1X SERVICE

    ParadeWifi Role.jpg

     

     

    ACCESS TRACKER

    Access Tracker.jpg



  • 8.  RE: clearPass - Assign authenticated user (in AD) with user roles and VLANs

    EMPLOYEE
    Posted Oct 23, 2013 01:05 AM
    What does the output show


  • 9.  RE: clearPass - Assign authenticated user (in AD) with user roles and VLANs

    Posted Oct 23, 2013 01:07 AM

    Output tab shows:

     

    Enforcement Profile: -

    System Posture Status: UNKNOWN (100)

    Audit Posture Status: UNKNOWN (100)

     

    Thankyou

     



  • 10.  RE: clearPass - Assign authenticated user (in AD) with user roles and VLANs

    EMPLOYEE
    Posted Oct 23, 2013 01:11 AM
    Try a quick test and change the enforcement to contains instead of equals. It's odd that is not showing an enforcement. Is the bar labeled radius response there if it is what is the response it is sending.


  • 11.  RE: clearPass - Assign authenticated user (in AD) with user roles and VLANs

    Posted Oct 23, 2013 01:25 AM

    Enforcement Policy does not have option for contains?

     

    Enforcement policy rules.jpg



  • 12.  RE: clearPass - Assign authenticated user (in AD) with user roles and VLANs

    EMPLOYEE
    Posted Oct 23, 2013 01:30 AM

    Thats right only role mappings has contains.

     

    Is this wired or wireless and what vendor/firmware?

     

    By your screen shot you are getting the student role but for some reason the enfourcement is not being sent or there might be an issue with the NAS device. Can you double check the vlan and is the port in access mode?



  • 13.  RE: clearPass - Assign authenticated user (in AD) with user roles and VLANs

    Posted Oct 23, 2013 01:45 AM

    Hi Troy

    I got it figured out, In Device Groups that I created within Enforcement profiles. I used subnet format and put the desired subnet details in, that didnt work

    So when I changed the format to List and selected my Aruba controller IPs from the list. Everything worked. Turned out, my Aruba controller has all the vlan information that clearpass needed, I thought I can put the vlan subnet within clearpass under device groups but NOT.

    Thankyou so much for your time and support. Have an awesome remaining day!!!

     

    Regards

    Tuan



  • 14.  RE: clearPass - Assign authenticated user (in AD) with user roles and VLANs

    EMPLOYEE
    Posted Oct 23, 2013 01:49 AM


    One quick note. With aruba you can just send a role instead of vlans. It will allow you to sent the vlan and firewall rule for each client. They are case sensitive so make sure toy match the rule role with the role on the controller.

     

     

     

    role4.png

     

    role5.png

     

     



  • 15.  RE: clearPass - Assign authenticated user (in AD) with user roles and VLANs

    Posted Oct 22, 2013 10:02 PM
    I believe you should be using the memberof property if you are going to drive off of AD groups. If all your students are located under one OU then do userDN contains OU=students,DC=parade,DC=int and for staff use not_contains instead of contains.


    Hope this helps you.