Security

Reply
Super Contributor I
Posts: 294
Registered: ‎02-07-2013

issue with using authentication source in enforcement policy

Hi,

Think I've found an annoying issue with using Auhentication sources in Enforcement policy conditions.

 

When I create a Service/Auth Souce/Policy/Profile, I add a timestamp in its name of the form ddyymm, that way, when I'm synchronising configs between my dev and production servers its easy to see where things have changed. Some things might change frequently, some occasionally.

 

If I have to change something, I update the name timestamp.In general, this works fine  and everywhere the item is used is updated to reflect the new name ..... except in the case of an enforcement policy condition. In this case,the condition keeps the originally defined name ... which then doesn't work because it doesn't exist.

 

e.g.

 

I've got an authorization source called "get_mac_info - ddyymm" This queries a mysql db to see if a given mac address has been quarantined. As we haven't fully migrated our estate over  to using clearpass, this gives us a common way of disabling a mac address on campus irrespective of whether authentication is performed using freeradius or clearpass. The source returns an integer >0 if the mac address is quarantined.

e.g.

 

Condition:-

(Authorization:get_mac_info - 210915:isthisquarantined exists) AND (Authorization:get_mac_info - 210915:isthisquarantined FREATER_THAN 0)

 

Action:

 UoY Wired Quarantine Profile - 230615

 

If I change the Authorization:get_mac_info name, the enforcement condition statement doesn't change and the default enforcement profile is selected. ( Rule evaluation =First applicable)

 

Anyone else seen this?

 

A

Guru Elite
Posts: 8,464
Registered: ‎09-08-2010

Re: issue with using authentication source in enforcement policy

What version of ClearPass? I've seen this in earlier versions but not 6.4 or
6.5.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
Showing results for 
Search instead for 
Did you mean: