Wireless Access

Reply
Occasional Contributor II
Posts: 10
Registered: ‎05-28-2013

ClearPass enforcment profile problem

On our staff computers we setup an enforcement policy that looks for them to machine authenticate and for the computer to belong to an AD group we created before assigning the staff role we created.  The problem is we have some computers that get the Machine Only enformement profile and are assigned the wrong role.  When I look in access tracker at the ones that work ClearPass is looking at the group the machine belongs too, on the ones that do not work its looking at user groups.  There are no differences in AD between the computers that are working and the ones that are not.

Guru Elite
Posts: 8,632
Registered: ‎09-08-2010

Re: ClearPass enforcment profile problem

On the ones that don't work, are you seeing both [User Authenticated] and [Machine Authenticated]?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 10
Registered: ‎05-28-2013

Re: ClearPass enforcment profile problem

Yes

Guru Elite
Posts: 8,632
Registered: ‎09-08-2010

Re: ClearPass enforcment profile problem

You need to write a rule that checks User + Machine + Group and put it higher than your User only policies.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 10
Registered: ‎05-28-2013

Re: ClearPass enforcment profile problem

Thanks.  That definitely has me on the right track.

Guru Elite
Posts: 21,258
Registered: ‎03-29-2007

Re: ClearPass enforcment profile problem

 

 

Greg,

 

Unfortunately, when a USER is authenticating, the only role that is available with regards to the machine is the [MACHINE AUTHENTICATED] role.  You cannot leverage AD attributes like groups about the machine objects when the user is currently authenticating.  The AD groups that the machine is part of is only accessible WHEN the machine is authenticating, NOT when the user on that machine is authenticating.

 

I hope that helps.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 4,301
Registered: ‎07-20-2011

Re: ClearPass enforcment profile problem

As Colin mentioned it is not possible to carry over a role mapping of a machine authenticated once you do the user auth.

 

What I suggest you do is the following :

- Create two services 

2014-08-24 10_42_47-ClearPass Policy Manager - Aruba Networks.png

 

- In the machine authentication service define the following role mapping

2014-08-24 10_20_30-ClearPass Policy Manager - Aruba Networks.png

 

- Then create a two custom attributes that you will use to differentiate between the IT PC and Sales PC

2014-08-24 10_47_10-ClearPass Policy Manager - Aruba Networks.png

 

- Then create a Post Auth profile using those custom attributes

2014-08-24 10_48_47-ClearPass Policy Manager - Aruba Networks.png

- The post auth profiles then can be use to tag devices that are part of the SalesComputer or ITComputer AD group in the machine auth enforcement policy

2014-08-24 10_21_13-ClearPass Policy Manager - Aruba Networks.png

 

- Once these tags have been applied you can use these in the user wireless 802.1X service (For this to work Make sure you add the endpoint database as an authorization source)

2014-08-24 10_39_21-ClearPass Policy Manager - Aruba Networks.png

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Guru Elite
Posts: 8,632
Registered: ‎09-08-2010

Re: ClearPass enforcment profile problem

If you turn on cached roles, you can combine user, machine and user groups through a role map. I have this configured in multiple environments.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 10
Registered: ‎05-28-2013

Re: ClearPass enforcment profile problem

Thanks for the replies, I feel like I have some options that will work now.

Search Airheads
Showing results for 
Search instead for 
Did you mean: