Security

last person joined: 15 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

two types of authentication on same SSID

Jump to Best Answer
This thread has been viewed 2 times
  • 1.  two types of authentication on same SSID

    Posted Nov 01, 2012 04:00 PM

    Hello gurus,

    I have the following setup which I want to implement.

    I got Aruba controller 3600 with clearpass solution which i evaluate at the moment.

    Scenario A: active directory user authentication without certificate

    Scenario B: active directory user authentication + machine authentication.

    Currently i got my CA server running, with certificates installed on the client side and clearpass side and its working fine. BUT...

    i would like to add a role which says in case the user authenticates without certificate he will be able to just browse the internet. in case he has certificate he can access local resources. This is all done on a single SSID.

    i tried to add under 802.1X Authentication Server Group my radius server with two diffrent roles.

    1

    Tunnel-Private-Group-Id

    equals

    WithCertificate

    String

    set role

    authenticated

    Yes

    2

    Tunnel-Private-Group-Id

    equals

    WithoutCertificate

    String

    set role

    Internet_Only

    Yes

    Also in the clearpass radius i added the same options under service rule, but it doesn’t work.

    So now because i got two different rules to authenticate users the policy will always go to the 1st match which will usually fail since as mentioned i got two different profiles, so now a user without certificate tries to authenticate he will be dropped since there is no connection policy for him.

    So what do we do from here?

    Thanks.


    #3600


  • 2.  RE: two types of authentication on same SSID

    Posted Nov 01, 2012 04:11 PM

    So you want to differentiate between Domain Machines and other devices?

     



  • 3.  RE: two types of authentication on same SSID

    Posted Nov 01, 2012 04:14 PM

    no.

     

    I want to be able to use one SSID with different types of users.

    I.e.. Users what have a mobile device without certificate, which will use ad credentials and get only internet access without local resources  and regular laptop users which are members of the domain and have certificate, they will be able to access everything.

     



  • 4.  RE: two types of authentication on same SSID

    Posted Nov 01, 2012 04:18 PM

    @idcnetworking wrote:

    no.

     

    I want to be able to use one SSID with different types of users.

    I.e.. Users what have a mobile device without certificate, which will use ad credentials and get only internet access without local resources  and regular laptop users which are members of the domain and have certificate, they will be able to access everything.

     


    Okay.

     

    Are both groups of users being authenticated successfully right now (if not, we need to fix that before doing anything)?

     



  • 5.  RE: two types of authentication on same SSID

    Posted Nov 01, 2012 04:26 PM

    At the moment,

    I use one username from laptop with certificate and it works. i use the same username from my android device without certificate, only A.D authentication and it works.

    But when I combine both rules in the clearpass it dosent work, as there is no way (that I have found) to distinguish the connection request therefore it will always match the 1st one which is with certificates. And then the no-certificate dosent work.

    So each time I need to stop one of the services in the clearpass.

     



  • 6.  RE: two types of authentication on same SSID

    Posted Nov 01, 2012 04:29 PM

    Okay.  Edit the service,  and under the Authentication Tab do  you have MsChapV2, EAP-PEAP and EAP-TLS as Authentication methods?

     



  • 7.  RE: two types of authentication on same SSID

    Posted Nov 01, 2012 04:30 PM

    yes i do.

     

    but isnt it smarter to seperate them, and send tunnel-group-id which can be Usercertificate and the other one NoCertificate or something like that?

     



  • 8.  RE: two types of authentication on same SSID

    Posted Nov 01, 2012 04:45 PM

    No.  Keep them in the same service.  We will send a different Enforcement Profile that will send a different role, depending on whether it does EAP-TLS or not:

     

    On the controller:

     

    Make sure you have two roles set aside for your two different types of users.  You will not need any Server derivation rules in the server group, because we will send an Aruba VSA (Aruba-User-Role) with the name of the Role from CPPM and that will automatically put the user in that role.

     

    On CPPM:

     

    1- Go to Configuration> Enforcement> Profiles.

    2- Click on Add Enforcement Profile

    3- Select Aruba Enforcement Profile and Name the Profile after your first Aruba Role (for TLS/Certificate) users).  Click on Next and in the Attributes Tab, fill in the Value box with the name of the Aruba Role that you want to send back for Certificate (TLS) users.  Click on Save.

    4- Select Aruba Enforcement Profile and Name the Profile after your Second Aruba Role (for PEAP/Username and password users).  Click on Next and in the Attributes Tab, fill in the Value box with the name of the second Aruba Role that you want to send back for PEAP users.  Click on Save.

    5- Go to Configuration> Enforcement> Policies.  Click on Add Enforcement Policy.  Name the policy Encrypted-Users.  Click next and Under the Rules Tab click to add a rule that says :  "Authentication Outer Method Equals EAP-TLS".  Under the Enforcement Profile portion, select the Enforcement Profile you created in Step#3.  Click on Save.

    6- Add Another Rule.  Click next and Under the Rules Tab click to add a rule that says :  "Authentication Outer Method Equals EAP-PEAP".  Under the Enforcement Profile portion, select the Enforcement Profile you created in Step#4.  Click on Save.

    7-Go into Configuration> Services and Edit your Service.  Under the Enforcement Tab, Select the Enforcement Policy you created in Step#5.

     

    try that and let us know if it works.

     



  • 9.  RE: two types of authentication on same SSID

    Posted Nov 01, 2012 04:58 PM

    i will give it a try tommorow as now its a bit too late.

    i will keep us posted.

    thanks again !!!!

     



  • 10.  RE: two types of authentication on same SSID

    Posted Nov 02, 2012 08:45 AM

    I have added everything.

    I got one service which at the moment works with user and computer certificate and also only username \ pass from active directory.

    How can I now separate them on the controller?

    once the user with certificate will authenticate he will get full policy

    once the user dosent preset certificate he will get a lighter policy.

    Thanks.

     



  • 11.  RE: two types of authentication on same SSID

    Posted Nov 02, 2012 08:57 AM

    What is not working?  The controller, unless you have termination enabled, merely packages what the client sends it an tunnels the request to the radius server.  The settings on the client and the radius server must match.

     

    The big question is:  what piece is NOT working, so that we can work on that.  We at minimum need to get the basics working, which is authentication and work on authorization, second...

     

     



  • 12.  RE: two types of authentication on same SSID

    Posted Nov 02, 2012 10:56 AM

    as sayd.

    not working at the moment is giving diffrent access rules based on authentication.

    i.e.

     

    user A with cert can access everything

    user A no cert can only get internet access

    user B with cert can access everything

     



  • 13.  RE: two types of authentication on same SSID

    Posted Nov 02, 2012 02:13 PM

    How can i send aruba-vsa without the server derivation?

    On the controller:

     

    Make sure you have two roles set aside for your two different types of users. You will not need any Server derivation rules in the server group, because we will send an Aruba VSA (Aruba-User-Role) with the name of the Role from CPPM and that will automatically put the user in that role.



  • 14.  RE: two types of authentication on same SSID

    Posted Nov 02, 2012 02:17 PM

    The enforcement profile in CPPM responds with the Aruba-User-Role which is the VSA that sets the role.  Anytime that is present, the user will end up in that role.  Setting that parameter on the CPPM side allows you to set the user's role without role derivation rules.



  • 15.  RE: two types of authentication on same SSID

    Posted Nov 02, 2012 02:21 PM

    i see, but still the classification is not in place at the moment.

    how can i debug it?

    thanks for ure time



  • 16.  RE: two types of authentication on same SSID

    Posted Nov 02, 2012 02:57 PM

    Go to Monitoring> Live Monitoring> Access Tracker and Find the Success Authentication.  Double Click on it.  Click on the Alert Tab to see what was returned to the client.

     



  • 17.  RE: two types of authentication on same SSID

    Posted Nov 02, 2012 02:59 PM

    there is no alert tab as the authentication is ok just the role mapping is not.

     



  • 18.  RE: two types of authentication on same SSID

    Posted Nov 02, 2012 04:13 PM

    When you click into the message, the last tab on the right should tell you what attributes were sent back (under Radius).



  • 19.  RE: two types of authentication on same SSID

    Posted Nov 02, 2012 04:21 PM

    there are 3 tabs summary input output

    but thats all i got, either we are mising something or i dont understand

    Radius:Aruba:Aruba-AP-Group

    IJ_Local_clearpass

    Radius:Aruba:Aruba-Essid-Name

    IJ_Certificate

    Radius:Aruba:Aruba-Location-Id

    ap-nl-idc-02

    Radius:IETF:Called-Station-Id

    000B866DEBA4

    Radius:IETF:Calling-Station-Id

    001F3C20F141

    Radius:IETF:Framed-MTU

    1100

    Radius:IETF:NAS-Identifier

    idc1-wlc01

    Radius:IETF:NAS-IP-Address

    192.168.1.16

    Radius:IETF:NAS-Port

    0

    Radius:IETF:NAS-Port-Type

    19

    Radius:IETF:Service-Type

    1

    Radius:IETF:User-Name

    host/spare003-wifi

    Radius:Microsoft:MS-MPPE-Recv-Key

    0xb63c63e13c28ba84c2e473227c0a11cc0b8b34955256529d46c609c26ee8299a

    Radius:Microsoft:MS-MPPE-Send-Key

    0x059bc07ab43589cd3716b1a806a3216a77bffc7e3f7cdfb1be95c507a4240e05

    +Authorization Attributes

     

    +Posture Request

     

    +SNMP Request

     

    -Computed Attributes

    Authentication:ErrorCode

    0

    Authentication:Full-Username

    host/spare003-wifi

    Authentication:MacAuth

    NotApplicable

    Authentication:OuterMethod

    EAP-TLS

    Authentication:Phase1PAC

    None

    Authentication:Phase2PAC

    None

    Authentication:Posture

    Unknown

    Authentication:Status

    Machine

    Authentication:Username

    spare003-wifi-test$

    Authorization:Sources

    Active_directory

    Certificate:Issuer-CN

    XXXXXX

    Certificate:Issuer-DC

    XXXXXX

    Certificate:Issuer-DN

    XXXXXX

    Certificate:Serial-Number

    27:40:05:00:00:00:00:00:03:cd

    Certificate:Subject-AltName-DNS

    spare003-wifi-test.

    Certificate:Subject-CN

    spare003-wifi-test

    Certificate:Subject-DN

    CN=spare003-wifi

    Certificate:Version

    3

    Connection:Client-Mac-Address

    001F3C20F141

    Connection:Client-Mac-Address-Colon

    00:1f:3c:20:f1:41

    Connection:Client-Mac-Address-Dot

    001f.3c20.f141

    Connection:Client-Mac-Address-Hyphen

    00-1f-3c-20-f1-41

    Connection:Client-Mac-Address-NoDelim

    001f3c20f141

    Connection:Client-Mac-Vendor

    Intel Corporate

    Connection:Dest-IP-Address

    10.3.3.205

    Connection:Dest-Port

    1812

    Connection:NAD-IP-Address

    192.168.1.16

    Connection:Protocol

    RADIUS

    Connection:Src-IP-Address

    192.168.1.16

    Connection:Src-Port

    32800

    Host:FQDN

    spare003-wifi-

    Host:Name

    spare003-wifi

     



  • 20.  RE: two types of authentication on same SSID

    Posted Nov 02, 2012 04:27 PM

    Output is the tab.  Expand radius under that.



  • 21.  RE: two types of authentication on same SSID

    Posted Nov 02, 2012 04:28 PM
    Enforcement Profiles:
    TLS_Certificate_users
    System Posture Status:
    UNKNOWN (100)
    Audit Posture Status:
    UNKNOWN (100)


  • 22.  RE: two types of authentication on same SSID

    Posted Nov 02, 2012 04:31 PM
    Okay. The enforcement profile being sent back is TLS certificate users. That needs to be a type of Aruba radius enforcement and have the attribute Aruba-User-Role returning the role. It is also case sensitive.


  • 23.  RE: two types of authentication on same SSID

    Posted Nov 02, 2012 04:42 PM

    i added it but still the same,

    i dont understand something dont i need to setup something in the controller,

    a user role?

    how can the controller understand that the user is supposed to get diffrent policy if not stated

    the other one is

    PEAP_Active_Directory_Auth


  • 24.  RE: two types of authentication on same SSID

    Posted Nov 02, 2012 04:51 PM

    Could you elaborate on the procedure to make it happen?

    Thanks.

     



  • 25.  RE: two types of authentication on same SSID

    Posted Nov 02, 2012 07:19 PM

    I elaborated on the procedure a few posts ago when I descibed what to do.

     

    Aruba VSAs are radius attributes that when they are in use, set and override role derivation.  If a radius server responds with the Aruba VSA of aruba-user-role during authentication, the user will be placed into that role.  That is what we were trying to do.

     

    From what I see the correct enforcement profile is being set, but somehow you do not have the Aruba-User-Role VSA set.  It should not be blank in the access tracker.  Please check your Enforcement Profile to ensure that the correct role name is configured and being sent.  That would eliminate you from having to write a server derivation rule, and server derivation rules on the Aruba controller are not specific enough to differentiate between EAP-TLS and EAP-PEAP.  That is why we want to detect these things on CPPM and then send back the role to the Aruba Controller during authentication.

     

    If you haven't already, you can obtain the Documentation for Clear Pass Policy manager under http://support.arubentworks.com  and Click on Documentation.  That way I can point you to the pages in the manual for the references that I am making.

     



  • 26.  RE: two types of authentication on same SSID

    Posted Nov 05, 2012 07:27 AM

    to which pages to do mean?

    thanks.

     



  • 27.  RE: two types of authentication on same SSID

    Posted Nov 05, 2012 08:42 AM


  • 28.  RE: two types of authentication on same SSID

    Posted Nov 05, 2012 09:23 AM

    I got the user manual

    which reference did u mean?

    Thanks.

     



  • 29.  RE: two types of authentication on same SSID

    Posted Nov 05, 2012 09:31 AM

    Chapter 15 is a chapter on Enforcement that shows you how to create and construct an Enforcement Profile.  What you want to do (and what we configured before) is an Aruba Enforcement profile which can be used to force the role of a device that is authenticated via Radius to the Aruba controller.  That way we can check for a few parameters via CPPM and force the role of a device based on that result.  That is done by pushing an Aruba VSA or Radius attribute which will match what role we want the device to end up in.  My instructions before showed how to do this, but the Enforcement Profile must be of the type "Aruba Radius Enforcement" and the "aruba-user-role" attribute must equal exactly what role you want the device to get.

     



  • 30.  RE: two types of authentication on same SSID

    Posted Nov 05, 2012 09:38 AM

    yes, my TLS users are setup with aruba-user-role %{Authorization:AD_Authentication:HostName}

    and my PEAP users are with %{Authorization:AD_Authentication:cn}



  • 31.  RE: two types of authentication on same SSID

    Posted Nov 05, 2012 09:41 AM

    @shpapy wrote:

    yes, my TLS users are setup with aruba-user-role %{Authorization:AD_Authentication:HostName}

    and my PEAP users are with %{Authorization:AD_Authentication:cn}


    Your Enforcement profile should look like this:

     

    TLS users :  aruba-user-role - equals - <role on the controller that you want tls users to be in>

    PEAP users:  aruba-user-role - equals - <role on the controller that you want PEAP users to be in>

     

     

    You want to send back the name of a role, NOT a forumula.



  • 32.  RE: two types of authentication on same SSID

    Posted Nov 05, 2012 09:56 AM

    well my problem was the formula

    now i have adjusted accordigly.

    TypeName Value
    1.Radius:ArubaAruba-User-Role=authenticated
     TypeName Value
    1.Radius:ArubaAruba-User-Role=

    Internet_Only



  • 33.  RE: two types of authentication on same SSID
    Best Answer

    Posted Nov 05, 2012 09:57 AM

    and this is the controller

     

    now i need to figure why the policy isnot ok but thats a diffrent story :-)

    thanks alot for the help!!!

    also i can see the radius response now

    RADIUS Response

    Radius:Aruba:Aruba-User-Roleauthenticated

     

    1Aruba-User-RoleequalsTLS_Certificate_usersStringset roleauthenticatedYes 
    2Aruba-User-RoleequalsPEAP_Active_Directory_AuthStringset roleInternet_Only

    Yes



  • 34.  RE: two types of authentication on same SSID

    Posted Nov 05, 2012 10:03 AM

    The role that you send back is case-sensitive, so it needs to match the case of the role that you have on the controller, exactly.

     

    I am glad to hear that you got it to send something back!  When you are done, we will want others to learn from what you have configured.



  • 35.  RE: two types of authentication on same SSID

    Posted Nov 05, 2012 10:11 AM

    let me know what i can share and i will.