Security

last person joined: yesterday 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Filtering in Services

Jump to Best Answer
This thread has been viewed 41 times
  • 1.  Filtering in Services

    Posted Oct 05, 2021 02:38 AM
    Is it possible with in services -> service to filter that if a username starts with a number it drops the authentication?

    ------------------------------
    Henk-Jan Dennenberg
    ------------------------------


  • 2.  RE: Filtering in Services

    Posted Oct 05, 2021 07:25 AM
    Have you tried filtering with the service rules, or under enforcement using regular expressions? See Link here : https://www.arubanetworks.com/techdocs/ClearPass/CPGuest_UG_HTML_6.5/Content/Reference/RegularExpressions.htm


    ------------------------------
    Dustin Burns
    Lead Mobility Engineer @WEI

    ACCX 1271| ACMX 509| ACSP | ACDA | MVP Guru 2021
    If my post was useful accept solution and/or give kudos
    ------------------------------



  • 3.  RE: Filtering in Services

    Posted Oct 14, 2021 03:01 AM
    Sorry for my late reply.

    So when i would at the last rule on the screenshot it will not authenticate users where the username starts with a number?



    ------------------------------
    Henk-Jan
    ------------------------------



  • 4.  RE: Filtering in Services
    Best Answer

    Posted Oct 14, 2021 03:57 AM
    Henk-Jan,

    No, you need the REGEX, not the 'BEGINS_WITH'. I just tested the following in my lab:

    Radius:IETF User-Name NOT_MATCHES_REGEX ^[0-9].*

    Where the ^ = start of line (first character); [0-9] = any character 0-9 (immediately after the start of line); and then .* = . means any character, and * means zero or more times. If you search the internet on 'regex tester', there are online testers to put in the regex ( ^[0-9].* ) and a test string, like 0342342@domain.edu which should not match, and a43242@domain.edu which should match.

    Alternatively, you could also create a service before your existing service that uses MATCHES_REGEX ^[0-9].* and use another authentication source like the internal database to send a reject, which then is also logged as a separate service (name it like 'WLAN drop users starting with digit' or something that makes sense) and you can use that to filter in Access Tracker. If you don't do that, the authentications may show up without service selected as they 'fall-through' and that may be confusing in the long term if someone else needs to troubleshoot your deployment.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 5.  RE: Filtering in Services

    Posted Oct 14, 2021 04:18 AM
    Herman,

    Thank you for your reply.
    These things are all new for me. 

    What would you suggest how this service have to be configured.

    In the service I make a rule to which SSID it applies
    And I add the rule you mentioned.

    Do I have to make a new role with a role mapping? So yes, what do I have to configure in the role mapping? Nothing or is there something specific that I have to configure? 
    When I configure the services I leave the proxy target empty or must I configure a fake radius proxy?
    In the enforcement tab I can choose the enforcement policy [Sample Deny Access Policy], is that the one to select here?

    Sorry for the many questions, I hope you can help me.

    Kind regards Henk-Jan

    ------------------------------
    Henk-Jan Dennenberg
    ------------------------------



  • 6.  RE: Filtering in Services

    Posted Oct 14, 2021 05:22 AM
    If it is for that 'WLAN drop users starting with digit service'; replicate the service matching parameters, but add the MATCHES_REGEX, and put that service above your normal service that matches all the non-digit-starting accounts. Then add the internal user database in as authentication source, and select EAP-TLS or so as Auth method (or PAP.. but EAP-TLS will definitely not ask on the client for a password if it is for wireless); then use the Sample Deny enforcement policy. No need for role mapping (as authentication will fail anyway), no need for proxy targets, keep the services as simple as possible; and put clear comments in your service, in case someone has a look at it.

    Would be good to work with your Aruba Partner or Aruba Support to verify if this is a production deployment. You can break things seriously if you make a mistake.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 7.  RE: Filtering in Services

    Posted Oct 14, 2021 05:33 AM
    Thank you verymuch Herman, for you fast response and answer.

    I will contact my Aruba Partner to check the service i created before I will use it.

    I hope to follow a Aruba ClearPass course in februari.

    ------------------------------
    Henk-Jan Dennenberg
    ------------------------------



  • 8.  RE: Filtering in Services

    Posted Nov 01, 2021 09:07 AM
    thank you so much for your explanations .

    ------------------------------
    Eli James
    ------------------------------