Security

last person joined: 6 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Use number of failed authentications for a devices in Enforcement policy

Jump to Best Answer
This thread has been viewed 19 times
  • 1.  Use number of failed authentications for a devices in Enforcement policy

    Posted May 31, 2021 10:48 AM
    Hi

    Is it possible to use the counter in the Insigth database for number of failed authentications in an Enforcement policy?
    The case I'm thinking about is if a device fail to authenticate numerous times a message should be sent to take care of the device, or an specific Enforcement policy be applied to this device limiting the amount of new requests it can send for some time.


    ------------------------------
    Best Regards
    Jonas Hammarbäck
    ACCX #1335, ACMP, ACDA, ACNSA, ACEA
    Aranya AB
    ------------------------------


  • 2.  RE: Use number of failed authentications for a devices in Enforcement policy

    Posted Jun 01, 2021 05:03 AM
    Jonas,

    I wrote some code that generates this report and a raft of other reports. 
    Have a look at the attached Summary and Detailed reports.
    I've also included the code that generates this in the zip file. If you want to try it have a read on the included readme file.

    Regards Derin

    ------------------------------
    Derin Mellor
    ------------------------------



  • 3.  RE: Use number of failed authentications for a devices in Enforcement policy

    Posted Jun 01, 2021 07:12 AM
    Thanks Derin

    Very comprehensive report, impressive!
    But not the exact thing I was looking for. I would like to utilize the Insight DB (at least I think the failed authentication counter is found in this database) as authorization source and if a device have more than, let's say, 100 failed authentications it should be handled in another way in the enforcement policy.

    ------------------------------
    Best Regards
    Jonas Hammarbäck
    ACCX #1335, ACMP, ACDA, ACNSA, ACEA
    Aranya AB
    ------------------------------



  • 4.  RE: Use number of failed authentications for a devices in Enforcement policy
    Best Answer

    Posted Jun 01, 2021 10:12 AM
    Jonas,

    If the connection is failing due to an authentication failure (ie incorrect password) the I don't believe ClearPass can do much to address this - ClearPass immediately sends a RADIUS Reject without any further processing.
    If the failure occurs in the Authorization then you could use some SQL like:
    SELECT COUNT(*) AS failed_auths
    FROM auth
    WHERE username = '%{Authentication:Username}'
    AND auth_status='Failed' AND timestamp >= NOW() - INTERVAL '1 hour';
    Conceptually you could use this to add this device to the ClearPass Blacklist - but it's not clear to me how you can add a device to this? This is very much geared to devices that exceed bandwidth or session limits. Likewise, I'm not sure how long it would remain in this blacklist (I think it is held there for 24 hours?). But even so the authentication requests would still be coming into ClearPass. In that sense it makes more sense to use RESTful API to inject a 'blacklist' into the NAS - ie a controller. I've never tried this but I notice that it is discussed in https://community.arubanetworks.com/browse/articles/blogviewer?blogkey=653f11ac-ec55-4300-bcb4-5a4dce45629d

    ------------------------------
    Derin Mellor
    ------------------------------



  • 5.  RE: Use number of failed authentications for a devices in Enforcement policy

    Posted Jun 01, 2021 10:21 AM
    Thank you,

    I will give the SQL query a try.
    As mentioned the idea is to trigger a message notifying the on site team that a device is continuously failing authentication.

    ------------------------------
    Best Regards
    Jonas Hammarbäck
    ACCX #1335, ACMP, ACDA, ACNSA, ACEA
    Aranya AB
    ------------------------------



  • 6.  RE: Use number of failed authentications for a devices in Enforcement policy

    Posted Jun 04, 2021 08:00 AM
    Hi 

    I have now had a chance to test the SQL query for the Insight database. It works as I intended with my question.
    Thank you for your assistance @derinmellor

    ------------------------------
    Best Regards
    Jonas Hammarbäck
    ACCX #1335, ACMP, ACDA, ACNSA, ACEA
    Aranya AB
    ------------------------------