Security

Reply
Frequent Contributor I
Posts: 85
Registered: ‎10-17-2012

two types of authentication on same SSID

Hello gurus,

I have the following setup which I want to implement.

I got Aruba controller 3600 with clearpass solution which i evaluate at the moment.

Scenario A: active directory user authentication without certificate

Scenario B: active directory user authentication + machine authentication.

Currently i got my CA server running, with certificates installed on the client side and clearpass side and its working fine. BUT...

i would like to add a role which says in case the user authenticates without certificate he will be able to just browse the internet. in case he has certificate he can access local resources. This is all done on a single SSID.

i tried to add under 802.1X Authentication Server Group my radius server with two diffrent roles.

1

Tunnel-Private-Group-Id

equals

WithCertificate

String

set role

authenticated

Yes

2

Tunnel-Private-Group-Id

equals

WithoutCertificate

String

set role

Internet_Only

Yes

Also in the clearpass radius i added the same options under service rule, but it doesn’t work.

So now because i got two different rules to authenticate users the policy will always go to the 1st match which will usually fail since as mentioned i got two different profiles, so now a user without certificate tries to authenticate he will be dropped since there is no connection policy for him.

So what do we do from here?

Thanks.

Guru Elite
Posts: 21,543
Registered: ‎03-29-2007

Re: two types of authentication on same SSID

So you want to differentiate between Domain Machines and other devices?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I
Posts: 85
Registered: ‎10-17-2012

Re: two types of authentication on same SSID

no.

 

I want to be able to use one SSID with different types of users.

I.e.. Users what have a mobile device without certificate, which will use ad credentials and get only internet access without local resources  and regular laptop users which are members of the domain and have certificate, they will be able to access everything.

 

Guru Elite
Posts: 21,543
Registered: ‎03-29-2007

Re: two types of authentication on same SSID


idcnetworking wrote:

no.

 

I want to be able to use one SSID with different types of users.

I.e.. Users what have a mobile device without certificate, which will use ad credentials and get only internet access without local resources  and regular laptop users which are members of the domain and have certificate, they will be able to access everything.

 


Okay.

 

Are both groups of users being authenticated successfully right now (if not, we need to fix that before doing anything)?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I
Posts: 85
Registered: ‎10-17-2012

Re: two types of authentication on same SSID

At the moment,

I use one username from laptop with certificate and it works. i use the same username from my android device without certificate, only A.D authentication and it works.

But when I combine both rules in the clearpass it dosent work, as there is no way (that I have found) to distinguish the connection request therefore it will always match the 1st one which is with certificates. And then the no-certificate dosent work.

So each time I need to stop one of the services in the clearpass.

 

Guru Elite
Posts: 21,543
Registered: ‎03-29-2007

Re: two types of authentication on same SSID

Okay.  Edit the service,  and under the Authentication Tab do  you have MsChapV2, EAP-PEAP and EAP-TLS as Authentication methods?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I
Posts: 85
Registered: ‎10-17-2012

Re: two types of authentication on same SSID

yes i do.

 

but isnt it smarter to seperate them, and send tunnel-group-id which can be Usercertificate and the other one NoCertificate or something like that?

 

Guru Elite
Posts: 21,543
Registered: ‎03-29-2007

Re: two types of authentication on same SSID

No.  Keep them in the same service.  We will send a different Enforcement Profile that will send a different role, depending on whether it does EAP-TLS or not:

 

On the controller:

 

Make sure you have two roles set aside for your two different types of users.  You will not need any Server derivation rules in the server group, because we will send an Aruba VSA (Aruba-User-Role) with the name of the Role from CPPM and that will automatically put the user in that role.

 

On CPPM:

 

1- Go to Configuration> Enforcement> Profiles.

2- Click on Add Enforcement Profile

3- Select Aruba Enforcement Profile and Name the Profile after your first Aruba Role (for TLS/Certificate) users).  Click on Next and in the Attributes Tab, fill in the Value box with the name of the Aruba Role that you want to send back for Certificate (TLS) users.  Click on Save.

4- Select Aruba Enforcement Profile and Name the Profile after your Second Aruba Role (for PEAP/Username and password users).  Click on Next and in the Attributes Tab, fill in the Value box with the name of the second Aruba Role that you want to send back for PEAP users.  Click on Save.

5- Go to Configuration> Enforcement> Policies.  Click on Add Enforcement Policy.  Name the policy Encrypted-Users.  Click next and Under the Rules Tab click to add a rule that says :  "Authentication Outer Method Equals EAP-TLS".  Under the Enforcement Profile portion, select the Enforcement Profile you created in Step#3.  Click on Save.

6- Add Another Rule.  Click next and Under the Rules Tab click to add a rule that says :  "Authentication Outer Method Equals EAP-PEAP".  Under the Enforcement Profile portion, select the Enforcement Profile you created in Step#4.  Click on Save.

7-Go into Configuration> Services and Edit your Service.  Under the Enforcement Tab, Select the Enforcement Policy you created in Step#5.

 

try that and let us know if it works.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I
Posts: 85
Registered: ‎10-17-2012

Re: two types of authentication on same SSID

i will give it a try tommorow as now its a bit too late.

i will keep us posted.

thanks again !!!!

 

Frequent Contributor I
Posts: 85
Registered: ‎10-17-2012

Re: two types of authentication on same SSID

[ Edited ]

I have added everything.

I got one service which at the moment works with user and computer certificate and also only username \ pass from active directory.

How can I now separate them on the controller?

once the user with certificate will authenticate he will get full policy

once the user dosent preset certificate he will get a lighter policy.

Thanks.

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: