Security

last person joined: yesterday 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

MPSK - Return visitor_name as RADIUS UserName

  • 1.  MPSK - Return visitor_name as RADIUS UserName

    Posted Feb 12, 2020 12:37 AM

    Hi all,

     

    I'm tinkering with MPSK and trying to change the default enforcement profiles to return the registered device name instead of the sponsor name as the RADIUS username. 

     

    For example if i register a device in CPG as Camera1 and then i auth using MPSK, the access tracker shows the sponsor name (i.e. admin)

     

    I can't figure out how to modify the SQL query to grab the visitor_name attribute out of Clearpass Guest to return as the username instead. 

     

    Anybody done this ?  

     

    Scott

     

     

     

     

     



  • 2.  RE: MPSK - Return visitor_name as RADIUS UserName

    Posted Feb 12, 2020 08:50 AM

    To your question, no I haven't personally tried this;-)

    But perhaps a few pointers that might help to make it work for you.

     

    The MPSK devices are stored as part of the tips_guest_users DB with guest_type = 'DEVICE'

    owehrli_0-1581513743652.png

    Attributes associated with a device are stored as nested JSON in the attribute column and that includes the "Visitor Name" that you are looking for.

     

    {
        "airgroup_enable": "1",
        "no_password": "1",
        "Create Time": "2018-12-14T13:36:33+00:00",
        "expire_postlogin": "0",
        "airgroup_shared_role": "",
        "remote_addr": "192.168.1.10",
        "Role ID": "2",
        "no_portal": "1",
        "do_expire": "1",
        "airgroup_shared_user": "",
        "source": "mac_create",
        "mac": "AA-BB-CC-DD-EE-FF",
        "Visitor Name": "Chromecast",
        "mac_auth": "1",
        "airgroup_shared": "1",
        "airgroup_shared_time": "",
        "sponsor_profile_name": "Device Registration",
        "simultaneous_use": "1",
        "airgroup_shared_group": "shared-services",
        "airgroup_shared_location": ""
    }

     

    If you want to work with those values, you need to become familiar with extracting nested JSON from SQL. Personally, it took me a while, this link helped me a lot: http://www.wagonhq.com/sql-tutorial/values-from-nested-json

     

    Also the [Guest Device Repository] authentication source includes already filters that extract values from nested JSON:

     

    owehrli_1-1581515350873.png

     

     

    Now you will need to modify your Authentication source and add a filter query that fetches your desired attribute. Something like this will actually fetch the visitor name "Chromecast" for the above MAC address

     

    select attributes ->> 'Visitor Name' from tips_guest_users as tgu where tgu.guest_type ='DEVICE' AND tgu.user_id = 'AA-BB-CC-DD-EE-FF'

     

    Disclaimer: there might be a more efficient way of doing this but that's what I could come up with;-)



  • 3.  RE: MPSK - Return visitor_name as RADIUS UserName

    Posted Feb 14, 2020 12:12 AM

    thanks so much for the extensive reply. whilst i don't immediately follow, you've given me a great start so i'll review and see how i go. 

     

    many thanks!

     



  • 4.  RE: MPSK - Return visitor_name as RADIUS UserName

    Posted Feb 13, 2020 12:46 AM

    Hi Scott,

     

    from my point of view, if you register the device, you need to enter a "Device Name". This device name is the visitor name. And you can use this one quite easily. Just return the "GuestUser:Visitor Name” as IETF:RADIUS Username. 

    I have written a short post about this. It is not related to MPSK but uses the device database in ClearPass as well. So it should apply to your request as well:

    https://www.flomain.de/2017/03/mac-authentication-with-username-using-clearpass/ 

     

    Hope this helps.

     

    BR

    Florian



  • 5.  RE: MPSK - Return visitor_name as RADIUS UserName

    Posted Feb 14, 2020 12:16 AM

    Hi Florian,

     

    thanks for your reply. Whilst i initially thought the same as you, it seems the way the database is constructed is slightly different for devices. 

     

    The MPSK workflow doesn't use the Guest Repository but rather the Device Repository. This new authentication source seems to have separate auth SQL search queries and visitor_name doesn't appear to be in the schema. 

     

    When i initially mapped the variable as you suggested it simply returned a null value. Trying to modify the search query resulted in a table not found error. 

     

    I also tried connecting via pgadmin to browse the table and found that visitor_name isn't part of that query. this is where my very basic knowledge of SQL / JSON falls apart!!

     

    I've found this is similar to when you try to query endpoint records which are also stored in a different manner. 

     

    Scott

     



  • 6.  RE: MPSK - Return visitor_name as RADIUS UserName

    Posted Dec 21, 2020 12:45 AM

    Hi

    Did you manage to get this working?  My customer's IT staff make the MPSK Device accounts for IOT devices and returning the device name is essential so it can be identified over the default of who created it.

    Mike



    ------------------------------
    Michael Lidgett
    ------------------------------



  • 7.  RE: MPSK - Return visitor_name as RADIUS UserName

    Posted Dec 21, 2020 04:24 AM

    If you have the device name in the Guest Device Database or in the Endpoint Repository, check Access Tracker if you have a field that carries the name you want to return and return that in the enforcement as the IETF:User-Name attribute.

    Example enforcement profile for the Endpoint database Hostname field:



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------



  • 8.  RE: MPSK - Return visitor_name as RADIUS UserName

    Posted Dec 21, 2020 08:44 PM

    Hi Herman,

    We do that currently for the standard guest workflow but as this is MPSK IOT devices and are created via operator access not a web form, it doesnt have the ability to write anything to the endpoint repository.

    As part of creating a device we give it a name,   if you then check the "show details" for the device i created you can see its stored the name as visitor_name

    Show Details on created device account

    and even when it authenticates now its has it in the computed attributes so its stored in a database but i just need the right source, query and attribute to pluck it out as i have no idea how to do that.

    Computed Attribute:

    I tried what the 2nd poster had mentioned but couldnt get it to work.

    The info is there so there must be away to pull it out and send it back as the username like the original poster has asked.



    ------------------------------
    Michael Lidgett
    ------------------------------



  • 9.  RE: MPSK - Return visitor_name as RADIUS UserName

    Posted Dec 22, 2020 04:35 AM

    Two options here. One is to return this attribute as the IETF:User-Name. You can do that with this enforcement profile:

    Put the label of what you see in Access Tracker (GuestUser:Visitor Name) in the %{ } construction to get the value replaced during enforcement.

    In your policy do something like this to prevent empty values to be returned:

    I successfully tested this in my lab:

    And Access Tracker:

    Another option is to add the Endpoint Database as an Authorization source and pull additional attributes from there. By doing that you can combine information from the Guest Devices database and Endpoint database in one policy; but if all information is in the Guest Devices database, then there is no need to do this.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------



  • 10.  RE: MPSK - Return visitor_name as RADIUS UserName

    Posted Dec 22, 2020 07:00 AM

    Thanks Herman! Your a Legend!   GuestUser:Visitor Name in the %{} worked perfectly.

    Thank you again.



    ------------------------------
    Michael Lidgett
    ------------------------------