Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

ClearPass Policy Manager 6.9.13.138003 - SNMP MIBS

This thread has been viewed 17 times
  • 1.  ClearPass Policy Manager 6.9.13.138003 - SNMP MIBS

    Posted Feb 09, 2024 07:16 AM

    Hi we are running

    ClearPass Policy Manager 6.9.13.138003 

    Can someone please tell me which MIBS to use to get information on the following

    User Name

    When (date and Time) account was locked out

    What caused the lockout

    And the device (eg mobile)



  • 2.  RE: ClearPass Policy Manager 6.9.13.138003 - SNMP MIBS

    Posted Feb 09, 2024 07:43 AM

    Hi

    I'm not sure if there are such MIBS, at least I haven't seen it.

    What is the use case? I guess you have issues with mobile devices lookning AD accounts after password change and the user has forgotten to change the EAP-PEAP configuration of the mobile device?



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 3.  RE: ClearPass Policy Manager 6.9.13.138003 - SNMP MIBS

    Posted Feb 09, 2024 08:57 AM

    Hi Jonas , you are spot on. We are a large organisation with over 4K employees and on a recurring  basis IT have to deal with investigating why a end users AD account has become locked. 

    Are you aware of any CLI commands, I can use, which would trawl through the data base and pull out information related to - Account ID - Date and time of locked out and cause?

    Ideally I need to search the entire data base and not just perform for 1 user.  




  • 4.  RE: ClearPass Policy Manager 6.9.13.138003 - SNMP MIBS

    Posted Feb 09, 2024 09:59 AM

    Hi

    The CLI in ClearPass doesn't have any commands like this so that's not an option.

    A few years ago I worked a lot with municipalities and the public schoold with a lot of iPads. In some schoold they had shared devices, not personal devices and to "simplify" for the local IT staff each school had an AD account for their iPads resulting in hundreds of devices using the same account for EAP-PEAP authentication. Curios kids exploring the authentication settings changed the password for the account leading to massive lockout of all the schools iPads... Not the best solution!

    The solution in cases like this was to implement several different configurations to mitigate the lockout problem.

    Rise the lockout threashold in AD, I think thay had 3-5 tries before lockout initially

    Created a custom attribute in the Endpoints Repository, i.e. Bad Password

    Created two enforcement profiles one updating the attribute Bad Password = True and one Bad Password = False

    In the Enforcement policy created a new rule triggering on the error message given when you supply wrong password, and the AD attribute badPwdCount > 1 and applying Bad Password = True.

    Also created a copy of the 802.1x Service, named something like "802.1x Wireless Bad Password" adding Bad Password = True to the Service conditions and a separate AD source with a modified with the seach condition like: (&(&(sAMAccountName=%{Authentication:Username})(objectClass=user))(!(badPwdCount>=4)))

    This will filter any acounts where the badPwdCount is 4 or higher preventing ClearPass from trying to authenticate and by this also prevent a lockout of the account.

    In the Access Tracker you will just see "User not found" error message, this can be confusing for first line staff...

    If there are more devices trying to authenticate with this account, like the user on the domain joined computer they will reset the counter to 0 when they manually log in.

    When the user has updated the password on the mobile phone, the badPwdCount been reset either by a succesful login or a password change from service desk the phone can authenticate with the service "802.1x Wireless Bad Password" as the AD source can find the user account again. If the authentication is successful the enforcement policy applies the Bad Password = False enforcement profile and by this reset the processing to the normal service.

    A quite complex setup, but it worked in most situations. A risk is if you have multiple devices with wrong password each of them can perform a single try and lock the account. If you just have users with personal devices this shouldn't be a major issue.

    The reason for the separate service "802.1x Wireless Bad Password" is to not affect all devices with correct passwords. If only the normal 802.1x have the badPwdCount filter no authentications will be allowed on any device, my goal was to just stop devices that had send a bad password.

    The solution above is just a bandaid on the wound, the better solution is to provide certificates to the devices and use EAP-TLS or EAP-TEAP instead. But that's a different story.

    When you have implemented this you can search either in Access Tracker for devices/users hitting the "802.1x Wireless Bad Password" service, or in the Endpoints Repository for evices wiith the attribute Bad Password = True. 

    Reports can also be generated from Insight and send by email.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 5.  RE: ClearPass Policy Manager 6.9.13.138003 - SNMP MIBS

    MVP
    Posted Feb 12, 2024 07:21 AM

    I think you are looking for this doc. I am not sure the MIBs themselves are readily available.

    https://www.arubanetworks.com/techdocs/ClearPass/6.9/PolicyManager/Content/CPPM_UserGuide/SNMP_MIB_Events_Errors/Intro_SNMPMIB_Events_Errors.htm



    ------------------------------
    Bruce Osborne ACCP ACMP
    Liberty University

    The views expressed here are my personal views and not those of my employer
    ------------------------------