Security

last person joined: 5 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Authorization Attributes from Radius Input

Jump to Best Answer
This thread has been viewed 0 times
  • 1.  Authorization Attributes from Radius Input

    Posted Jun 25, 2013 04:17 PM

    Hi,

     

    I am trying to block domain laptops to the Guest network via a lookup in AD. 

     

    However, for some reason I only get 1 authorization Attribute through in the radius input log.

     

    Authorization:[Endpoints Repository]:Unique-Device-Count1

     

    I have made sure that the Insight database is selected and also restarted all the services again.

     

    It make no difference,  Any ideas ?

     

     



  • 2.  RE: Authorization Attributes from Radius Input

    Posted Jun 25, 2013 08:26 PM

    What are you looking up in AD?  You could try chekcing for the [MACHINE AUTHENTICATED] role because that would be tied to the mac address of that device, but that might be it....



  • 3.  RE: Authorization Attributes from Radius Input

    Posted Jun 26, 2013 11:52 AM

    The Customer doesn't want any corporate Laptops to be able to access the guest network.

     

    Therefore, we would like it to query AD to see if it has a valid machine name and if so reject it?

     

    Is this possible?



  • 4.  RE: Authorization Attributes from Radius Input

    Posted Jun 26, 2013 11:55 AM

    Not possible, because as a guest, the only two things we can use for authentication are the mac address of the device upon association and the username of the guest.

     

    Using mac authentication, if the device has already authenticated as a domain computer, it might be able to derive the built-in CPPM [Machine Authenticated role], which you could use to put the device in a VLAN or in a role that bring up a page, rejecting the device.

     

    Alternatively, you can use group policy to push an SSID with the guest SSID name with a wep key, so that those devices simply cannot connect to the guest SSID.

     



  • 5.  RE: Authorization Attributes from Radius Input

    Posted Jun 26, 2013 11:59 AM

    I'm pretty new to this, is ther a guide to how you would do this?



  • 6.  RE: Authorization Attributes from Radius Input
    Best Answer

    Posted Jul 08, 2013 02:33 PM

    image011.jpg

     

    Simply use Group Policy to make the Guest network invisible to Domain Machines.

     

    If you set it to "Deny" the user's cannot even "see" it in the list of available WLANs on a Domain Member machine.

     

    (You can also prioritize ordering of ESSIDs for supported networks as well) 

     

    Helps to avoid the support calls because user is on local hotspot network instead of your corporate network.