Security

 View Only
  • 1.  ClearPass - How to choose between multiple AD Groups in either Role Mappings or enforcement policies (OR Statement).

    Posted 19 days ago

    I am strugling with the following scenario that works perfectly on Cisco ISE, but where i need to try to make an exact copy on ClearPass.

    To simplify things, there are 2 requirements

    1. Access based on TEAP (no worries about this)
    2. The computer or user (depending on the policy) needs to member of either 5 AD Groups e.g. GROUP1.....GROUP5)

    If i try to do it in the Role Mappings Part there is no OR statement that can combine this:

    If computer pases TEAP AND is member of either GROUP1, GROUP2, GROUP3, GROUP4, GROUP5

    Role mappings ruke can only match ANY or ALL. In the operator part of the rule, there is no "Match any" against AD.

    It gets even worse in the Enforcement Policy Part.

    Here i can only choose MATCH all.

    So if i put in TIPS role = ROLE name i might have put into the Role Mappins Part, i cannot also specify that the user or computer needs to be a member of any of the mentioned groups.

    The Operator value "CONTAINS" is no go, since the customer uses numerical values so i cannot match on numbers since it is continuous.

    So i fell very limited on clearpass from what i can do on cisco ise!



  • 2.  RE: ClearPass - How to choose between multiple AD Groups in either Role Mappings or enforcement policies (OR Statement).

    Posted 19 days ago
    Edited by Herman Robers 19 days ago

    Not sure if I fully understand, but I would use the following logic for such a scenario:

    Role mapping (match any):

    Auth:AD Group equals group1 => Role_groupA
    Auth:AD Group equals group2 => Role_groupA
    Auth:AD Group equals group3 => Role_groupA
    Auth:AD Group equals group4 => Role_groupA
    Auth:AD Group equals group5 => Role_groupA

    So 5 different rules; will result in the Role_groupA ClearPass role to be applied if user is part of any of group1..group5.

    Enforcement (first match):

    Authentication:TEAP-Method-2-Status EQUALS Success AND
    Tips:Role EQUALS Role_groupA => do your enforcement 

    Alternatively, you should be able to use the 'belong_to' 'group1,group2,group3,group4,group5' classifier to match any of the group.

    Maybe the logics used in ClearPass requires you to think a bit different from what you are used to, but very good chance you can do close to everything you can come up with by combining role-mapping and enforcement. Role mapping is perfect for most 'OR' operations, then in enforcement you typically have enough on AND within the rule.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 3.  RE: ClearPass - How to choose between multiple AD Groups in either Role Mappings or enforcement policies (OR Statement).

    Posted 19 days ago

    I would prefer to have it in the role mappings parts.

    So the  'belong_to' is an any statement (GROUP1 OR GROUP2 OR....)? and not an AND statement (GROUP1 AND GROUP2....AND)?




  • 4.  RE: ClearPass - How to choose between multiple AD Groups in either Role Mappings or enforcement policies (OR Statement).

    Posted 19 days ago

    Correct, it's separated by comma, not space, but the idea is the same. Documentation on the operators is here.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 5.  RE: ClearPass - How to choose between multiple AD Groups in either Role Mappings or enforcement policies (OR Statement).

    Posted 19 days ago

    So as an example I have these to role mappings.

    The first should hopefully match a computer and users passing TEAP, and the user should be a member of a specific AD Group

    The second should hopefully match that only the computer pases TEAP, ad that the user should be a member of a specific AD Group

    But If is what to use multiple AD Groups would the syntax then be BELONGS_TO "GROUP1 GROUP2) where Space is used to divide the groups?




  • 6.  RE: ClearPass - How to choose between multiple AD Groups in either Role Mappings or enforcement policies (OR Statement).

    Posted 19 days ago

    Change memberOf to Groups. And I'd recommend to never use memberOf again unless you really have to, it has some very unexpected side effects which are not there in Groups that splits the groups to different objects versus memberOf that is a single string.

    Depending on what you further want to do, it may also be useful to split the role mapping in different functions, one that assigns role for User+Computer authenticated, one for Computer-only (and maybe one for user only); and a separate to match the Issuer and group membership, where you even may use 5 different rules instead of the BELONGS_TO; then in enforcement do U+C & Groupmember -> enforcement; and one C & Group Member -> other enforcement; wehere if you don't have a Method-2 there won't be a User Group as there is no User; but that's something you should probably play with to find what works best. And it's also dependent on personal preference or standards you may like to follow.

    I agree it may be confusing that you can do things in ClearPass in multiple ways, but that also make it really flexible.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 7.  RE: ClearPass - How to choose between multiple AD Groups in either Role Mappings or enforcement policies (OR Statement).

    Posted 14 days ago

    Yes I am trying to mixing it up. But it would be good if HPE could copy what ISE does by allowing multiple and-or statements in both areas (role mapping and enforcement policies)  And just so we are aligned. "BELONGS_TO" in both the role mappings and enforcement policy area and "MATCHES_ANY" in the role mapping area is an OR statement with values in the belongs to separated by comma?




  • 8.  RE: ClearPass - How to choose between multiple AD Groups in either Role Mappings or enforcement policies (OR Statement).

    Posted 14 days ago

    Essentially, yes.  You can also use a regular expression to match.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------