Security

Hi

Is it possible to use the counter in the Insigth database for number of failed authentications in an Enforcement policy?
The case I'm thinking about is if a device fail to authenticate numerous times a message should be sent to take care of the device, or an specific Enforcement policy be applied to this device limiting the amount of new requests it can send for some time.


------------------------------
Best Regards
Jonas Hammarbäck
ACCX #1335, ACMP, ACDA, ACNSA, ACEA
Aranya AB
------------------------------

Jonas,

I wrote some code that generates this report and a raft of other reports. 
Have a look at the attached Summary and Detailed reports.
I've also included the code that generates this in the zip file. If you want to try it have a read on the included readme file.

Regards Derin

------------------------------
Derin Mellor
------------------------------

Original Message:
Sent: May 31, 2021 10:48 AM
From: Jonas Hammarback
Subject: Use number of failed authentications for a devices in Enforcement policy

Hi

Is it possible to use the counter in the Insigth database for number of failed authentications in an Enforcement policy?
The case I'm thinking about is if a device fail to authenticate numerous times a message should be sent to take care of the device, or an specific Enforcement policy be applied to this device limiting the amount of new requests it can send for some time.


------------------------------
Best Regards
Jonas Hammarbäck
ACCX #1335, ACMP, ACDA, ACNSA, ACEA
Aranya AB
------------------------------

Thanks Derin

Very comprehensive report, impressive!
But not the exact thing I was looking for. I would like to utilize the Insight DB (at least I think the failed authentication counter is found in this database) as authorization source and if a device have more than, let's say, 100 failed authentications it should be handled in another way in the enforcement policy.

------------------------------
Best Regards
Jonas Hammarbäck
ACCX #1335, ACMP, ACDA, ACNSA, ACEA
Aranya AB
------------------------------

Original Message:
Sent: Jun 01, 2021 05:03 AM
From: Derin Mellor
Subject: Use number of failed authentications for a devices in Enforcement policy

Jonas,

I wrote some code that generates this report and a raft of other reports. 
Have a look at the attached Summary and Detailed reports.
I've also included the code that generates this in the zip file. If you want to try it have a read on the included readme file.

Regards Derin

------------------------------
Derin Mellor

Original Message:
Sent: May 31, 2021 10:48 AM
From: Jonas Hammarback
Subject: Use number of failed authentications for a devices in Enforcement policy

Hi

Is it possible to use the counter in the Insigth database for number of failed authentications in an Enforcement policy?
The case I'm thinking about is if a device fail to authenticate numerous times a message should be sent to take care of the device, or an specific Enforcement policy be applied to this device limiting the amount of new requests it can send for some time.


------------------------------
Best Regards
Jonas Hammarbäck
ACCX #1335, ACMP, ACDA, ACNSA, ACEA
Aranya AB
------------------------------

Jonas,

If the connection is failing due to an authentication failure (ie incorrect password) the I don't believe ClearPass can do much to address this - ClearPass immediately sends a RADIUS Reject without any further processing.
If the failure occurs in the Authorization then you could use some SQL like:
SELECT COUNT(*) AS failed_auths
FROM auth
WHERE username = '%{Authentication:Username}'
AND auth_status='Failed' AND timestamp >= NOW() - INTERVAL '1 hour';
Conceptually you could use this to add this device to the ClearPass Blacklist - but it's not clear to me how you can add a device to this? This is very much geared to devices that exceed bandwidth or session limits. Likewise, I'm not sure how long it would remain in this blacklist (I think it is held there for 24 hours?). But even so the authentication requests would still be coming into ClearPass. In that sense it makes more sense to use RESTful API to inject a 'blacklist' into the NAS - ie a controller. I've never tried this but I notice that it is discussed in https://community.arubanetworks.com/browse/articles/blogviewer?blogkey=653f11ac-ec55-4300-bcb4-5a4dce45629d

------------------------------
Derin Mellor
------------------------------

Original Message:
Sent: Jun 01, 2021 07:12 AM
From: Jonas Hammarback
Subject: Use number of failed authentications for a devices in Enforcement policy

Thanks Derin

Very comprehensive report, impressive!
But not the exact thing I was looking for. I would like to utilize the Insight DB (at least I think the failed authentication counter is found in this database) as authorization source and if a device have more than, let's say, 100 failed authentications it should be handled in another way in the enforcement policy.

------------------------------
Best Regards
Jonas Hammarbäck
ACCX #1335, ACMP, ACDA, ACNSA, ACEA
Aranya AB

Original Message:
Sent: Jun 01, 2021 05:03 AM
From: Derin Mellor
Subject: Use number of failed authentications for a devices in Enforcement policy

Jonas,

I wrote some code that generates this report and a raft of other reports. 
Have a look at the attached Summary and Detailed reports.
I've also included the code that generates this in the zip file. If you want to try it have a read on the included readme file.

Regards Derin

------------------------------
Derin Mellor

Original Message:
Sent: May 31, 2021 10:48 AM
From: Jonas Hammarback
Subject: Use number of failed authentications for a devices in Enforcement policy

Hi

Is it possible to use the counter in the Insigth database for number of failed authentications in an Enforcement policy?
The case I'm thinking about is if a device fail to authenticate numerous times a message should be sent to take care of the device, or an specific Enforcement policy be applied to this device limiting the amount of new requests it can send for some time.


------------------------------
Best Regards
Jonas Hammarbäck
ACCX #1335, ACMP, ACDA, ACNSA, ACEA
Aranya AB
------------------------------

Thank you,

I will give the SQL query a try.
As mentioned the idea is to trigger a message notifying the on site team that a device is continuously failing authentication.

------------------------------
Best Regards
Jonas Hammarbäck
ACCX #1335, ACMP, ACDA, ACNSA, ACEA
Aranya AB
------------------------------

Original Message:
Sent: Jun 01, 2021 10:11 AM
From: Derin Mellor
Subject: Use number of failed authentications for a devices in Enforcement policy

Jonas,

If the connection is failing due to an authentication failure (ie incorrect password) the I don't believe ClearPass can do much to address this - ClearPass immediately sends a RADIUS Reject without any further processing.
If the failure occurs in the Authorization then you could use some SQL like:
SELECT COUNT(*) AS failed_auths
FROM auth
WHERE username = '%{Authentication:Username}'
AND auth_status='Failed' AND timestamp >= NOW() - INTERVAL '1 hour';
Conceptually you could use this to add this device to the ClearPass Blacklist - but it's not clear to me how you can add a device to this? This is very much geared to devices that exceed bandwidth or session limits. Likewise, I'm not sure how long it would remain in this blacklist (I think it is held there for 24 hours?). But even so the authentication requests would still be coming into ClearPass. In that sense it makes more sense to use RESTful API to inject a 'blacklist' into the NAS - ie a controller. I've never tried this but I notice that it is discussed in https://community.arubanetworks.com/browse/articles/blogviewer?blogkey=653f11ac-ec55-4300-bcb4-5a4dce45629d

------------------------------
Derin Mellor

Original Message:
Sent: Jun 01, 2021 07:12 AM
From: Jonas Hammarback
Subject: Use number of failed authentications for a devices in Enforcement policy

Thanks Derin

Very comprehensive report, impressive!
But not the exact thing I was looking for. I would like to utilize the Insight DB (at least I think the failed authentication counter is found in this database) as authorization source and if a device have more than, let's say, 100 failed authentications it should be handled in another way in the enforcement policy.

------------------------------
Best Regards
Jonas Hammarbäck
ACCX #1335, ACMP, ACDA, ACNSA, ACEA
Aranya AB

Original Message:
Sent: Jun 01, 2021 05:03 AM
From: Derin Mellor
Subject: Use number of failed authentications for a devices in Enforcement policy

Jonas,

I wrote some code that generates this report and a raft of other reports. 
Have a look at the attached Summary and Detailed reports.
I've also included the code that generates this in the zip file. If you want to try it have a read on the included readme file.

Regards Derin

------------------------------
Derin Mellor

Original Message:
Sent: May 31, 2021 10:48 AM
From: Jonas Hammarback
Subject: Use number of failed authentications for a devices in Enforcement policy

Hi

Is it possible to use the counter in the Insigth database for number of failed authentications in an Enforcement policy?
The case I'm thinking about is if a device fail to authenticate numerous times a message should be sent to take care of the device, or an specific Enforcement policy be applied to this device limiting the amount of new requests it can send for some time.


------------------------------
Best Regards
Jonas Hammarbäck
ACCX #1335, ACMP, ACDA, ACNSA, ACEA
Aranya AB
------------------------------

Hi 

I have now had a chance to test the SQL query for the Insight database. It works as I intended with my question.
Thank you for your assistance @derinmellor​

------------------------------
Best Regards
Jonas Hammarbäck
ACCX #1335, ACMP, ACDA, ACNSA, ACEA
Aranya AB
------------------------------

Original Message:
Sent: Jun 01, 2021 10:11 AM
From: Derin Mellor
Subject: Use number of failed authentications for a devices in Enforcement policy

Jonas,

If the connection is failing due to an authentication failure (ie incorrect password) the I don't believe ClearPass can do much to address this - ClearPass immediately sends a RADIUS Reject without any further processing.
If the failure occurs in the Authorization then you could use some SQL like:
SELECT COUNT(*) AS failed_auths
FROM auth
WHERE username = '%{Authentication:Username}'
AND auth_status='Failed' AND timestamp >= NOW() - INTERVAL '1 hour';
Conceptually you could use this to add this device to the ClearPass Blacklist - but it's not clear to me how you can add a device to this? This is very much geared to devices that exceed bandwidth or session limits. Likewise, I'm not sure how long it would remain in this blacklist (I think it is held there for 24 hours?). But even so the authentication requests would still be coming into ClearPass. In that sense it makes more sense to use RESTful API to inject a 'blacklist' into the NAS - ie a controller. I've never tried this but I notice that it is discussed in https://community.arubanetworks.com/browse/articles/blogviewer?blogkey=653f11ac-ec55-4300-bcb4-5a4dce45629d

------------------------------
Derin Mellor

Original Message:
Sent: Jun 01, 2021 07:12 AM
From: Jonas Hammarback
Subject: Use number of failed authentications for a devices in Enforcement policy

Thanks Derin

Very comprehensive report, impressive!
But not the exact thing I was looking for. I would like to utilize the Insight DB (at least I think the failed authentication counter is found in this database) as authorization source and if a device have more than, let's say, 100 failed authentications it should be handled in another way in the enforcement policy.

------------------------------
Best Regards
Jonas Hammarbäck
ACCX #1335, ACMP, ACDA, ACNSA, ACEA
Aranya AB

Original Message:
Sent: Jun 01, 2021 05:03 AM
From: Derin Mellor
Subject: Use number of failed authentications for a devices in Enforcement policy

Jonas,

I wrote some code that generates this report and a raft of other reports. 
Have a look at the attached Summary and Detailed reports.
I've also included the code that generates this in the zip file. If you want to try it have a read on the included readme file.

Regards Derin

------------------------------
Derin Mellor

Original Message:
Sent: May 31, 2021 10:48 AM
From: Jonas Hammarback
Subject: Use number of failed authentications for a devices in Enforcement policy

Hi

Is it possible to use the counter in the Insigth database for number of failed authentications in an Enforcement policy?
The case I'm thinking about is if a device fail to authenticate numerous times a message should be sent to take care of the device, or an specific Enforcement policy be applied to this device limiting the amount of new requests it can send for some time.


------------------------------
Best Regards
Jonas Hammarbäck
ACCX #1335, ACMP, ACDA, ACNSA, ACEA
Aranya AB
------------------------------