Security

Reply
Occasional Contributor II
Posts: 11
Registered: ‎07-09-2012

clearPass - Assign authenticated user (in AD) with user roles and VLANs

Hi All, I'm hoping you can help with the issue I'm having

I setup clearPass 6.2 and 801.1x service and one SSID for both student and staff and authenticate them through Active Directory.

I want users to connect to the SSID, put in their AD credentials and based on their user group within AD, they will be assgined with Staff or Student Roles and  have their own VLANs (staff & student vlan).

I got the user successfully connected to SSID and authenticated, but the role mapping I have only assign them with one default role. How do I make the role mapping to regconise correct user group in AD and map a correct role? then correct VLAN IP?

 

Thankyou

Tuan

dot1x aruba wireless service.jpg

 

Role Mappings.jpg

Guru Elite
Posts: 7,837
Registered: ‎09-08-2010

Re: clearPass - Assign authenticated user (in AD) with user roles and VLANs

[ Edited ]

You'll want to use the "MemberOf" attribute to map each group to the appropriate TIPS role (which you can create). Then in the enforcement profile, you tell it what actions to take based on the TIPS role. Think of the TIPS roles as "tagged" attributes in ClearPass that you can reference later to make policy decisions.

 

Here's the "flow"

 

ROLE MAPPING

[AD Group] >>>> [TIPS Role]

 

ENFORCEMENT PROFILE

[TIPS Role] >>>> [Enforcement Policy]

 

ENFORCEMENT POLICY

[Enforcement Policy]  ===== Actions you want to take  (assign VLAN, return user role, etc)


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Aruba
Posts: 1,520
Registered: ‎06-12-2012

Re: clearPass - Assign authenticated user (in AD) with user roles and VLANs

So a couple different things. 

 

1. If you are are going to do roles you will need to make a condition that states 

 

 

role.png

 

 

2. Your enforcement can be a simple tips--role--contains--student gets role a or VLAN a

 

role2.png

 

OR If you are not using a different authz source than the AD or LDAP you can skip the role mapping and use a simple

 

role3.png

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Frequent Contributor II
Posts: 122
Registered: ‎01-19-2013

Re: clearPass - Assign authenticated user (in AD) with user roles and VLANs

I believe you should be using the memberof property if you are going to drive off of AD groups. If all your students are located under one OU then do userDN contains OU=students,DC=parade,DC=int and for staff use not_contains instead of contains.


Hope this helps you.
Occasional Contributor II
Posts: 11
Registered: ‎07-09-2012

Re: clearPass - Assign authenticated user (in AD) with user roles and VLANs

[ Edited ]

Thankyou, I got it to map the correct role, but the vlan mapping is not working, I created one enforcement policy like what you showed that map VLAN 58 for staff and VLAN 64 for students (see pics. But when users connect to and get their role. Only VLAN58 IP addresses got assigned regardless staff or students. Where did I miss?

 

Enforcement Policy

Enforcement Policy.jpg

 

Enforcement Profile

Enforcement profile - VLAN58.jpg

 

Thankyou

Tuan

Aruba
Posts: 1,520
Registered: ‎06-12-2012

Re: clearPass - Assign authenticated user (in AD) with user roles and VLANs

In access tracker can you post a screen shot of the student. The first tab should show what role the user is getting assigned
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Aruba
Posts: 1,520
Registered: ‎06-12-2012

Re: clearPass - Assign authenticated user (in AD) with user roles and VLANs

And also your role mapping in the service. How are you assigning the role of student or employee
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Occasional Contributor II
Posts: 11
Registered: ‎07-09-2012

Re: clearPass - Assign authenticated user (in AD) with user roles and VLANs

Hi, I attached the access tracker and the role assignment in 802.1x service. I noticed in the access tracker has enforcement profile as blank even though I did set enforcement profile in the service?

 

ROLE MAPPING IN 802.1X SERVICE

ParadeWifi Role.jpg

 

 

ACCESS TRACKER

Access Tracker.jpg

Aruba
Posts: 1,520
Registered: ‎06-12-2012

Re: clearPass - Assign authenticated user (in AD) with user roles and VLANs

What does the output show
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Occasional Contributor II
Posts: 11
Registered: ‎07-09-2012

Re: clearPass - Assign authenticated user (in AD) with user roles and VLANs

Output tab shows:

 

Enforcement Profile: -

System Posture Status: UNKNOWN (100)

Audit Posture Status: UNKNOWN (100)

 

Thankyou

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: