Security

 View Only
last person joined: 2 days ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Adding an extra local SQL database to store MAC-adresses

This thread has been viewed 31 times
  • 1.  Adding an extra local SQL database to store MAC-adresses

    Posted May 31, 2023 04:44 AM

    Hello,

    I have a question about authenticating some devices. We have some devices on the network which fall under the category 'security'. It is hard to profile them and then send back the correct role to get these devices in the correct VLAN. So what we want to do is create a new local SQL database in Clearpass where we can store the MAC addresses from these devices. Is this possible? And is it possible to use this database as an authentication source in the service to check, if a device that is trying to connect to the network, if the MAC-address is listed in this database?


    Kind regards,

    Jeffrey



  • 2.  RE: Adding an extra local SQL database to store MAC-adresses

    Posted May 31, 2023 05:00 AM

    Hi Jeffrey

    No, you can't create a new custom database in ClearPass, in that case you must host the database on an external database server and configure this server as a source for ClearPass to look in to validate the MAC address. But this is maybe a bit of over working the solution.

    Instead you can utilize the already present device database, Guest Device Repository.
    With this database you can assign a device a specific role and only grant the devices in the database access according to the assigned roles.
    Even though the database is named Guest Device Repository and the administration is done under the /guest part of ClearPass it's not limited to only guest devices.

    Also, if you configure Guest Operator Profiles you can delegate permissions to handle different types of devices based on AD groupd or other authorization information.
    One group can be assigned permissions to add and delete security cameras another group to handle card readers for the doors etc.
    If you have a need to deligate administration to local or regional staff this solution is good, as they can only handle the devices within their responsibility.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP 2023, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACDP , ACEP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 3.  RE: Adding an extra local SQL database to store MAC-adresses

    Posted May 31, 2023 05:20 AM

    Thanks for your response Jonas,

    I am looking in the guest section of Clearpass right now and am I seeing this page.
    We actually have two groups of devices that need to be checked; 'security' and 'utility'. Is it possible to add those two role-names to the list at 'account-role' that can be seen in the screenshot above? And is it then possible to check for this specific role in the rolemapping / enforcement in the service to send back the correct profile?

    Kind regards,

    Jeffrey




  • 4.  RE: Adding an extra local SQL database to store MAC-adresses
    Best Answer

    Posted May 31, 2023 05:27 AM

    Hi All,

    Alternatively why dont we use Static Host List and list all the MACs there ?

    SHL is also 'database' resides in local, to use it just configure it as one of the Authentication Source and configure the policy based on that. You can create multiple SHL so that u can group it inside different different Authc Source Profile.

    Hope my explanation clear. :)




  • 5.  RE: Adding an extra local SQL database to store MAC-adresses

    Posted May 31, 2023 05:34 AM

    Thanks for your response Matchabear,

    This is a better solution for my question. But how do I add a static host list as an authentication source to my service?




  • 6.  RE: Adding an extra local SQL database to store MAC-adresses

    Posted Jun 01, 2023 03:37 AM

    Hi Jeffrey and Jonas,

    Pls see the attached to configure Static Host List to be a member of Authc Source profile.

    Using ClearPass Guest is also feasible I would say and can give more flexibility to the MAC address itself because we can add custom attribute to the MAC address as well. Meaning to say, if we put Authorization Source as Guest Device Repo, we then can call the custom attributes and use it as a condition to create a more flexible rule.

    You can refer to the document I attach here to use the custom attribute in Guest Device Repo. See Page 8-9. In there there is Authorization:Endpoint Repo:fingerprint blabla , this u can change to Authorization:Guest Device Repo:[custom_attribute] , assign the condition to a Role and then use it for Enforcement Policy rule creation.


    Attachment(s)



  • 7.  RE: Adding an extra local SQL database to store MAC-adresses

    MVP
    Posted Jun 01, 2023 07:12 AM

    Whenever I have questions such as this, the SE on our Aruba account team is an invaluable resource.



    ------------------------------
    Bruce Osborne ACCP ACMP
    Liberty University

    The views expressed here are my personal views and not those of my employer
    ------------------------------



  • 8.  RE: Adding an extra local SQL database to store MAC-adresses

    Posted May 31, 2023 06:25 AM

    Hi

    Yes, it's possible

    Follow the steps below:
    - Create the two new roles, security and utility, under Configuration\Identity\Roles
    - Update the role mapping policy [Guest Roles]. This role mapping policy have a special use as the roles added here are the roles populating the account role drop down.

    Create rules like the one in the screenshot:
    The number can be any number and this number will be written as the Role ID value in the Guest Device Repository for the device when added.
    - Create a role mapping policy for the MAC authentication service, or edit if you already have one

    The first rule has an additional condition to validate that the account is marked as active and does not have an expired date. This is optional but good to evaluate. This way it's possible to allow devices for a specific time.
    - In the enforcement policy of the MAC authentication service utilize the roles assigned in the role mapping policy to assign the correct enforcement profiles.

    If only the ClearPass administrator should be able to add the devices and assign the roles, you can stop here. If the permissions should be delegated to other persons continue with the rest of the tasks.

    Switch to the Guest part of ClearPass
    - Navigate to Administration\Operator Logins\Profiles
    - Create a new profile and give it a name, in this example I have named it Security Admins, when saved this name will also be created as a role in the Policy Manager part of ClearPass. This will be utilized for the login a the operator.
    Scroll down a bit in the role and select the roles this profile should be able to handle. In the picture below I have only selected security, if you need to handle the two device types within separate teams.
    The dropdown will control if the profile can see all devices of the specific type or just the ones created by this specific user or this profile. Several profiles with same premission but with the operator filter set to "Only show accounts created with this profile" can be a use case for delegation to local staff in different locations etc.
    Copy the profile name before saving.
    It's also in the profile you have the option to assign customized forms for device registrations etc. This is a more advanced option but it's possible to customize the device registration form and hide some of the fields, or add new fields as needed.


    Go back to the Policy Manager part of ClearPass.
    Navigate to Configuration\Enforcement\Profiles 
    Copy the profile [Operator Login - Admin Users]
    Rename the profile to a meaningful name. ie. Operator Login Security Admins
    Change the attribute value to the name of the operator profile. The name is case sensitive, hence the advice to copy and just paste it here
    Last steps are related to the login of the operator on the /guest pages.

    - Copy the Service [Guest Operator Logins]
    - Rename the new service to a meaningful name
    - Create a new enforcement policy or copy the default policy
    - Edit the enforcement policy and add rules as needed for the admin profiles created. If the role should be assigned by an AD group also add a role mapping policy for the role assignment.

    As mentioned in another answer it's possible to also utilize Static Host Lists. The usage of Static Host Lists are generally not recommended as they are only left in ClearPass for backward compatibility. You can't assign permissions to the different lists nor to specific MAC addresses. The management doesn't scale well and the MAC addresses are not sorted in the lists.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP 2023, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACDP , ACEP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------