Security

last person joined: 9 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

AD membership applying to SmartDevice connections on 802.1x

  • 1.  AD membership applying to SmartDevice connections on 802.1x

    Posted Oct 28, 2016 08:56 AM

    This question is in regards to acombination of AD, clearpass, and our firewall. I'll give a bit of a setup outline first, followed by the question.

     

    User's are able to connect on their laptops via TLS+PEAP, they don't need to enter in their credentials, their current AD login is automatically used, and certificate for auth.

     

    On thier SmartDevices they are able to connect by entering in their AD username and password, also with cert auth.

     

    In AD we have a role for internet access, that users need to be allowed to gain external internet. When connecting to the IAP/clearpass from a laptop, this role is working, as it is a domain laptop. When connecting on a smart device(entering in AD credentials) the internet access role isn't applying (if exists on the account), and as such are being blocked by the TMG firewall (checks for user membership to the internet access group). smart devices are managed through an MDM(listed as enpoint context server).

     

    Is there a way to have clearpass have the smart devices adopt the same AD roles of the account used to authenticate connection? If no, what alternate appraoch should I be looking towards?

     

    Thank you

     



  • 2.  RE: AD membership applying to SmartDevice connections on 802.1x

    Posted Oct 28, 2016 09:05 AM
    Are you using EAP-PEAP or EAP-TLS? You can't be using both.


  • 3.  RE: AD membership applying to SmartDevice connections on 802.1x

    Posted Oct 28, 2016 09:21 AM

    TLS will be the one of choice. I just have PEAP on still as I haven't pushed certs out to all my devices yet as I'm still testing. Both ways use AD as an auth source, so I'd expect the solution would be similar to both?



  • 4.  RE: AD membership applying to SmartDevice connections on 802.1x

    Posted Oct 28, 2016 09:24 AM

    Please share screenshots of your role map and enforcement policy.



  • 5.  RE: AD membership applying to SmartDevice connections on 802.1x

    Posted Oct 28, 2016 09:28 AM

    Nothing special for enforcement. If they have wireless access on their account, allow them. If a mobile device has a fingerprint created, allow it. (Yes I edited the sample policy, I'll be making a seperate one eventualy)

    2016-10-28_09h24_57.png

     

    No role mapping created yet. As laptop users are able to gain external access from their AD roles, I'm hoping to get mobile phones working similarly when entering in their AD credentials to authenticate.



  • 6.  RE: AD membership applying to SmartDevice connections on 802.1x

    Posted Oct 28, 2016 09:30 AM

    Are you seeing the group listed for the user in access tracker under authorization?



  • 7.  RE: AD membership applying to SmartDevice connections on 802.1x

    Posted Oct 28, 2016 09:39 AM

    Do you mean under roles? Authorization just shows Active Directory and Endpoints repository. 

     

    I see both roles needed, 'gs ESAI Wireless Access" needed to connect to the IAP (they successfullly connect) and 'InternetAccess' needed to get past the firewall.

     

    Edit* Or if you mean authorization under input (I was looking udner summary), then yes, they both appear there as well.



  • 8.  RE: AD membership applying to SmartDevice connections on 802.1x

    Posted Oct 28, 2016 11:03 AM

    Could this be a cert issue?

     

    Which cert am I supposed to import into the SmartDevices(or clients in general)? I imported the RADIUS cert from clearpass(signed by our internal CA). I'm samrting to think this is the wrong cert to put into the clients trust.



  • 9.  RE: AD membership applying to SmartDevice connections on 802.1x

    Posted Oct 28, 2016 11:25 AM

    Earlier Tim asked for a screenshot of the Role Mapping and Enforcement policy being applied; but you only have the Enforcement policy shown; can you do the same for the Roles tab?

     

    Also, how is the TMG firewall determining its rules?   Is it talking directly to AD to determine group memberships?



  • 10.  RE: AD membership applying to SmartDevice connections on 802.1x

    Posted Oct 28, 2016 11:33 AM

    I mentioned in the post with the screenshot for enforecment that there were no role mappings created, but here's proof:

    2016-10-28_11h26_19.png

     

    TMG can apply rules to requests that come from user sets(AD groups). It will talk with AD to view the group, if the user sending the request is in  the group, apply the rule.



  • 11.  RE: AD membership applying to SmartDevice connections on 802.1x

    Posted Oct 28, 2016 11:37 AM
    Can you export the Access Tracker request for the SmartDevice and upload
    here?


  • 12.  RE: AD membership applying to SmartDevice connections on 802.1x

    Posted Oct 28, 2016 12:50 PM
      |   view attached

    I did find one error before exporting the logs. The mobile devices were connecting using PEAP, so I've removed that from our service, and have the phones set to connect using TLS. Now we are recieving"EAP-TLS: fatal alert by server - unsupported_certificate" on Iphones, and "EAP: Client doesn't support configured EAP methods" on androids

     

    I've attached the Access Tracker export for an android connection 

    Attachment(s)

    zip
    DashboardDetails.zip   7K 1 version