Requirement:To send an email from ClearPass server to a specific admin's email address, with OnGuard posture results (per health class) , whenever a client PC is quarantined (OnGuard posture status become unhealthy). Its kind of an alert email to admins to notify health status of an unhealthy PC.
Solution:Config parameters required :
- First, a custom SQL DB is created in Configuration > Authentication > Sources using tipsLogDB with a custom attribute (ex. "Posture_Results") to fetch the posture results. The posture results will be fetched using a custom SQL query, from tipsLogDb, which contains all Access tracker details
- Here is the SQL query : select STRING_AGG(CONCAT(s.attr_name, ' - ' ,s.attr_value)::text, ' || ') as posture from tips_webauth_session_log w left outer join tips_session_log_details s on w.id = s.session_id where w.id = (select id from tips_webauth_session_log where host_mac = '%{Connection:Client-Mac-Address-NoDelim}' order by timestamp desc limit 1) and s.type = 'POSTURE_OUT' ;
- Any modifications can be performed to this according to requirements.
- we add this custom authentication source as an authorization source in the 802.1x service.
- a context server action is created under Administration > Dictionaries > context server actions, to trigger an email that contains the values fetches by custom attribute.
- SMTP server settings are configured at Administration > External servers > Messaging setup.
- an HTTP enforcement profile is created to call the context server action on 802.1x service, whenever the posture status becomes Quarantine.
Workflow :
When a client PC antivirus or firewall goes out of date or any parameters becomes unhealthy, OnGuard agent by its design , triggers an immediate web auth to ClearPass server
Soon after the webauth, the posture results are stored tipsLogDb (ex. Antivirus:Unhealthy, Firewall:Healthy) and OnGuard triggers a NIC bounce or a COA.
Due to NIC bounce, client performs 802.1x again, the posture results that were stored in webauth that just occurred will be fetched as authorization attribute (custom attribute), you can verify the same in access tracker > authorization attributes as well.
Post 802.1x successful authentication, the HTTP enforcement profile is triggered, which in turn triggers an email with the posture results taken from the authorization attribute to the specified email address in the context server action template.
Configuration:1. Create a custom SQL DB authentication source
Configuration > Authentication Source > ADD > Type > Custom SQL DB
General :
Name - Posture_DB
Cache Timeout: 5 seconds
"Primary" tab details :
Connection Details
Port (Optional): |
|
|
|
Goto > Attributes, on the same page > Add More Filters
Filter Name: |
|
Filter Query: |
|
|
Name |
Alias Name |
Data type |
Enabled As |
|
|
1. |
posture |
Posture |
String |
- |
|
|
2. Create a context server action
Administration > Dictionaries > context server actions > ADD
Action :
Server Name : localhost
Action Name : Send Email
HTTP Method: POST
Authentication Method: NONE
URL: /api/email/send
Header :
Header-Name : Content-Type, Header-Value : application/json
Header-Name : Accept, Header-Value : application/json
Content: ( message, subject and to address can be modified according to the requirement)
{
"to": ["example@example.com"],
"subject": "Quarantine ALERT!",
"message": "The following client was quarantined- %{Connection:Client-Mac-Address-Colon}\nClient-IP-ADDRESS-%{Endpoint:ClientIP}\nHOSTNAME-%{Authorization:[Endpoints Repository]:Hostname}\nPosture Evaluation Result\n%{Authorization:Posture_DB:Posture}"
}
The %{Authorization:Posture_DB:Posture is the attribute that calls the value of posture details from tipsLogDb (Access tracker DB)
3. Create an enforcement Profile
Configuration > Enforcement > Profiles > ADD
Profile:
Template : HTTP Based Enforcement
Name : Send Email Enforcement (any name)
Attributes :
Target Server : localhost
Action : Send Email
4. On the 802.1x service , you can map this enforcement profile against rule created for quarantine posture status (note : the enforcement profile has to be added only to 802.1x service not to web-auth service)
Example enforcement policy Rule
Tips : Posture : Equals : Quarantine
Apply Enforcement Profile : Send Email Enforcement
Match ALL of the following conditions:
1. |
Tips |
Posture |
NOT_EQUALS |
HEALTHY (0) |
|
|
Enforcement Profiles
The XML files for above config parameters are attached :
Authentication source - Configuration > authentication > import
context server config - Administration > External servers > endpoint context servers > import
Context server action config > Administration > Dictionaries > context server actions > import
Enforcement profile config > Configuration > Enforcement > Profiles > import
Password for all the files is 'aruba'
Verification After applying the configuration
- Please disable any posture parameter on a client like a firewall or antivirus
- Disconnect the device and re-connect to the network, or click on the Retry button on the OnGuard agent, to make OnGuard perform web authentication
- Wait for OnGuard Agent to Bounce the client
- The client performs 802.1x authentication
- On the Access tracker - Check the OUTPUT section of 802.1x auth, to see whether the HTTP based Enforcement is applied or not
- You should receive an email with Posture details and all health classes with their health statuses
- By this, you can understand which parameter on the client is unhealthy.
Attachments:ContextServer.zipAuthSource-Posture_DB.zipContextServerAction.zipEnforcementProfile.zip