Security

 View Only
Expand all | Collapse all

Clearpass - Connecting from VPN with RDP

This thread has been viewed 61 times
  • 1.  Clearpass - Connecting from VPN with RDP

    Posted Jan 01, 2023 06:13 AM
    Hi,
    I setup Clearpass cluster and assign VLANs to a workstation according to its Active directory user login.
    When the workstation is logged out there is no active VLAN on the port. Only dum VLAN (999) which is not configured on the network, only locally on the switches.
    As soon as login is processed, the interface got the correct VLAN for the user.

    My problem is when a client wants to connect to the workstation with RDP. 
    When the workstation is not logged in, it has no IP address. So there isn't an option to connect to it.
    What is the best solution for that kind of problem?

    Generating a transition VLAN is the only possible way? 
    And if it does, Do you have any suggestions what is the most secure way to configure this transition VLAN?


    ------------------------------
    Best regards,
    Alon Haber
    ------------------------------


  • 2.  RE: Clearpass - Connecting from VPN with RDP

    Posted Jan 01, 2023 09:33 PM
    You would have to configure machine authentication on the client machine for the device to  have an ip address when logged out.

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
    ------------------------------



  • 3.  RE: Clearpass - Connecting from VPN with RDP

    Posted Jan 02, 2023 10:11 AM

    If I put the interface on vlan access 999 and have connectivity in this VLAN (with access to DHCP server and to clearpass)

    Wouldn't it be enough for the machine to get IP address in vlan 999 ?



    ------------------------------
    Best regards,
    Alon Haber
    ------------------------------



  • 4.  RE: Clearpass - Connecting from VPN with RDP

    Posted Jan 02, 2023 10:27 AM
    If you are not doing any type of authentication on that port, yes.

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
    ------------------------------



  • 5.  RE: Clearpass - Connecting from VPN with RDP

    Posted Jan 04, 2023 04:39 AM

    I am doing authentication on that port.

    But I want to have some default VLAN that gives access to DHCP, DC, and Clearpass.
    Can't I put VLAN 999 in access, and only after authentication to replace the Vlan according to the User's AD credentials? 



    ------------------------------
    Best regards,
    Alon Haber
    ------------------------------



  • 6.  RE: Clearpass - Connecting from VPN with RDP

    Posted Jan 04, 2023 05:53 AM
    That probably would work. Still, I would recommend configuring computer/machine authentication such that a logged-off computer can authenticate to the network rather than allowing even unauthenticated clients to connect to your AD services.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 7.  RE: Clearpass - Connecting from VPN with RDP

    Posted Jan 05, 2023 09:07 AM

    So if I am doing machine authentication.
    I can Gives it specific VLAN when it is loggod of, and another VLAN if it login (VLAN assigning according to the user AD credentials)?

    I am not sure what is the  flow when I am using both machine authentication and user authentication according to AD. 



    ------------------------------
    Best regards,
    Alon Haber
    ------------------------------



  • 8.  RE: Clearpass - Connecting from VPN with RDP

    Posted Jan 05, 2023 11:20 AM
    That would be one option, but be aware that the client will need to do a DHCP renew when switching VLAN, which is why VLAN switching is not really recommended. It would be better to switch roles (to control traffic) and stick in the same VLAN; but if it works and is well tested, VLAN switching may work. For example roaming profiles may break/get corrupted if you switch VLAN in the middle of retrieving/saving. For that reason, just doing computer authentication and/or not switching VLANs may be the better option.

    In short, if you have machine+user, the computer will authenticate with the computer account when nobody is logged on, and reauthenticate as user when a user signs in.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------