Security

Hi Guys,

I deployed a small POC of clearpass.

i configured onboard process in front of Aruba controller & Radius Server.

I keep getting auth failed: because it's seems like the clearpass/device sending username and extra unneeded stuff:\

 

why it does it? here in the example the username is pelegw...

the clearpass changing it to: pelegw:10:mdps_generic

 

 

adiusServer.Radius - reqst_update_state: Access-Challenge 13:76:206432156034:0x00410055009000902b00000012d624c17e47ce52b81d080a6711508d
2013-07-09 12:38:52,822	[Th 1 Req 44 SessId R00000022-01-51dbda2c] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "onbaord-shabA2013 Onboard Provisioning - Aruba" - 14:234:206432156034
2013-07-09 12:38:52,822	[Th 1 Req 44 SessId R00000022-01-51dbda2c] INFO RadiusServer.Radius - rlm_sql: searching for user sheba\pelegw:10:mdps_generic in Local:localhost
2013-07-09 12:38:52,823	[Th 1 Req 44 SessId R00000022-01-51dbda2c] INFO RadiusServer.Radius - rlm_sql: searching for user sheba\pelegw:10:mdps_generic in Local:localhost
2013-07-09 12:38:52,823	[Th 1 Req 44 SessId R00000022-01-51dbda2c] INFO RadiusServer.Radius - rlm_ldap: searching for user sheba\pelegw:10:mdps_generic in AD:172.21.3.1

You could try stripping the extra text in the service policy under authentication.

 

Thanks for the info.
so i should write there:

user::

right ? because i dont need what after the :

That should work. The resulting request would be sheba\pelegw .

 

I would also open a TAC case just to find out why it is making the AD request with that extra information. This does not seem to be normal behavior.

user:
didnt work - cppm didnt alloed me to save it.
user::
didnt work - cppm didnt allowed me to save it
user:m
worked.
now lets test with the client that it's really working and stripping the username in the right way

it will not work...

because it's no m after the username

it's a number - a changing number...

why the hell the cppm add it to the username?

please advise. (you can see in the above screenshot that with out all this addon it's working great)

 

thanks me.

you think this should do it ?
Strip Username Rules: user:1,user:2,user:3,user:4,user:5,user:6,user:7,user:8,user:9

still dosent work.

even due i add the following strip to the name:

user:1,user:2,user:3,user:4,user:5,user:6,user:7,user:8,user:9

i still dont understand why clearpass onboard changing the username to:

after onboarding..and checking the profile on the andoird device it's seems the the onboard adding a strange string to the username...what causing if to fail when try to connect to the enteprise network...

it's like sending the unique device name + user prefix as username to the wifi network profile that been created after the onboarding process on the android itself.... please advise

This is expected behavior for devices that have been onboarded with EAP-PEAP credentials (Windows and Android by default).  You need to add the Onboarded Devices repository as an authentication source to the 802.1X service you are using.  

 

• I know that - i did it.....but my client would like to use is own radius (like the sitatuion today) for the 802.1x ssid.
• the clearpass is been used just for onboarding smart devices + install cert + creation of the 802.1x profile on the devices.

 

 

A. I added the CPPM as 3rd radius + failover in the aruba AAA profile of the 802.1x ssid

 

B.still when user is finished onbaording and try to connect the 802.1x profile that made by the onboard process - and it been checked by the CPPM onboard rep checking also... it's getting failed...user not found (it's just dosent finding a username with this "mdps addon..."

 

C.each user that will try to connect to the 802.1x will fail-over 2 other radius before arrving to the cppm for auth...it's kind of slow process - no?

 

please advise.

 

thanks,

me.

When a device is onboarded and configured for EAP-PEAP it is issued a unique username and password (e.g. username:12:mdps_generic).  After onboarding, the device will no longer user the AD username/password for authentication, it will use the unique credentials issued during the onboarding process.  You will not be able to authenticate directly to AD with the credentials issued by Onboard.  You need to authenticate against the Onboarded Devices Repoistory in ClearPass.  

ok thanks,i just configured it like you wrote - testing it soon.

but lets say i have in the same 802.1x profile / server group - 2 other radius servers of the Enterprise - that are for users that connecting to the 802.1x without on-boarding... it will not slow the process?..because of the fail-over function?

Yes, that will slow the authentication process for Onboarded devices as they will have to fail through the two IAS servers before reaching ClearPass.  

 

Are you using EAP termination on the Aruba controller?  RADIUS failthrough is not recommended for 802.1X if EAP sessions are being terminated on the RADIUS servers.  Check out this thread: http://community.arubanetworks.com/t5/Security-WIDS-WIPS-and-Aruba-ECS/Radius-Fail-through-and-802-1x-Machine-Authentication/td-p/12183

 

 

You could consider setting a "match-rule" for the CPPM server entry within the group.  For example, put CPPM at the top, but have a match-rule defined; something like:   authstring contains mdps_generic.  

 

Other things to consider:

1) use CPPM for all auths

2) use CPPM to proxy auths to IAS

3) use IAS connection rules to proxy to CPPM for (based on username containing mdps_generic)

i want to change this cppm output:
pelegw:10:mdps_generic
to this:
pelegw