Security

 View Only
Expand all | Collapse all

CPPM Static Host Lists and Role Mapping Policy

This thread has been viewed 34 times
  • 1.  CPPM Static Host Lists and Role Mapping Policy

    Posted Dec 21, 2023 01:22 PM

    Hello all

    I was wondering if there was a way to select multiple Static Host lists with the "Belongs_To_Group" option in a Role Mapping Policy (being able to select all groups would work).  Currently we have quite a few static host lists that are used for different things (therefor a single list will not work).  For a different reason, we would like to assign a TIPS role in addition to the other TIPS roles for every device that is in a static host list.  Something along the lines of "Belongs To Group" "*" or any other wildcard.  I haven;t been able to find a way to do it.  Can it possibly be done via regex?

    Thanks!

    Jeff Johnston



  • 2.  RE: CPPM Static Host Lists and Role Mapping Policy

    Posted Dec 21, 2023 01:37 PM

    Maybe I'm not following but why not just do multiple "belongs to group" rules within the role mapping?  

    Also it would be best practice to migrate away from using static host lists and use Profiling instead.




  • 3.  RE: CPPM Static Host Lists and Role Mapping Policy

    Posted Dec 21, 2023 02:14 PM

    Thanks for the quick reply.  I don't want to do multiple "belongs to group" for a couple of reasons.  First we currently have 60 SHLs (yeah, I don't like it either LOL).  But more importantly, we occasionally add or delete an SHL and remembering to update the Mapping Rule every time that happens is not something I want to add to my plate.

    Profiling won't work (at least I don't think so).  It's not about the type of machine or anything that's machine specific and being profiled.  It's about who owns it.  We have outside vendors that use internal services.  The administrators are not willing to create user accounts or machine accounts in our AD and we need to classify them in "buckets" for access.  For example - Dining gets an SHL to get to certain items.  Banking gets an SHL with completely different authorizations.  As I said - there are currently quite a few different categories.  We talked about using the Guest DB for this, but we believe that might be more cumbersome.

    Even tho I'm not a fan of this method, it works.........until now.  We are switching to an F5 utility for external access bandwidth shaping.  Everything in the static host lists would get the same external access bandwidth and the F5 accepts the TIPs role as an input.  So if I could create a rule that says if you are in ANY SHL, you get TIPs role "StaticHost".




  • 4.  RE: CPPM Static Host Lists and Role Mapping Policy

    Posted Dec 21, 2023 02:37 PM

    Yeah I'm not aware of an ANY supported field for Static Host Lists.  You're right that regex might be possible but I've never attempted it.

    I would 100% suggest moving away from this method however.  Maybe EAP-TLS with certificate attributes identifying each business unit?




  • 5.  RE: CPPM Static Host Lists and Role Mapping Policy

    Posted Dec 21, 2023 03:12 PM

    Hi

    As @ahollifield 

    already pointed out the SHL is a legacy object in ClearPass only available for combability.

    When I need to assign roles based on MAC addresses I always add the MAC addresses to the Guest Device Repository. This way I can delegate the rights to add MAC addresses and assign specific roles to users based on AD groups, if the customer would like to have this option.

    Another way to add the MAC addresses are by import of CSV files. This is really convenient. When added to the Guest Device Repository you also have the option to add other attributes to the MAC address, beside the role, like name, comment, email to the owner of the device, expiration time etc.

    I would say that it would be quite easy to rebuild the logic you have today based on the SHL's in the role mapping policy to a logic based on assigned roles in the Guest Device Repository.

    If you have not worked with assigning roles based on MAC addresses in the Guest Device Repository I understand that it looks as a really big job to transfer the logic and data. But work with an Aruba partner, Aruba SE or maybe TAC to implement this. I think you will find the time spent valuable in the end. Of course asking questions in the forum is also an option.

    Returning to your initial question regarding Belongs_To_Group, I think this operator only check different Network Device Groups.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP 2023, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 6.  RE: CPPM Static Host Lists and Role Mapping Policy

    Posted Dec 21, 2023 03:28 PM

    Thanks

    Adding them to the Guest Repository wouldn't be hard.  But keeping it maintained in CPPM vs Guest is easier for us the way we are structured.  On top of that, we already have 60+ static host lists plus about a dozen Guest user roles defined.  I believe there is a limit to how many user guest roles can be created, 64 I thought, which pushes us right to the limit with no wiggle room.

    If it can't be done, it can't be done and we will find an alternative.  I completely understand that SHLs are outdate and on the way out and I'm not a fan of them.  But while it's not perfect, it's working a the moment.  And as a surgeon in a world famous children's hospital on the east coast once told me - don't let perfection get in the way of good enough.  Just hoping that there was a regex formula that could use a wildcard looking at SHLs.  As an FYI - I spent a few years before this job as an Aruba Partner and still have a close working relationship with them.  I will be running this past them also on our bi-weekly meeting, but thought I would throw it out here first in case someone else ran into something similar.




  • 7.  RE: CPPM Static Host Lists and Role Mapping Policy

    Posted Dec 21, 2023 04:48 PM

    Hi

    I have never heard or read anything about an upper limit of number of guest roles. But there may exist a limit. I tested in a lab server and created 70 roles and I was able to add them to a Guest Operator profile.

    I also tried in the lab to create several Static host lists to see if it's possible to use them as authorization sources. But I got stuck as it looks like it's not possible.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP 2023, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 8.  RE: CPPM Static Host Lists and Role Mapping Policy

    Posted Dec 22, 2023 06:35 AM

    Thanks so much for checking that for me.  When I was remembering a Guest role limit of 64 I must have been using some really old brain cells.  The limit of 64 is a character limit on each role and not a limit on the number of roles.  I can't stand it if roles are more that 10-12 characters or so.  I hope I'm long retired if anyone I'm working with makes a 64 character role LOL.

    Looks like we might be starting a project to migrate these SHLs to Guest Repository.  Time to do a little more digging

    Thanks again to all who took the time to help and respond!  This forum has been invaluable over the years!




  • 9.  RE: CPPM Static Host Lists and Role Mapping Policy

    Posted Dec 22, 2023 06:40 AM

    And that brings up another related question.  One of the easier things to do in a SHL is to find devices that are in a certain list.  In the Guest Device repository, you cannot sort or filter on role.  Is there any easy way (other than exporting the entire DB to .csv) to find all devices with role xxxx?




  • 10.  RE: CPPM Static Host Lists and Role Mapping Policy

    Posted Dec 22, 2023 08:06 AM
    Edited by matchabear Dec 22, 2023 08:12 AM
    I have been using Guest Device Repo quite extensively, now have 10K "whitelisted" devices. We have customised the SQL query thanks for the TAC case we opened so that I can use all the customs columns/fields as Authz attributes. I am open for discussion and you can reach me in my DM haha...🤣


    I can say one of the biggest advantage in using a Guest Device registration is,

    1) you cannot have multiple MAC address registered, whereas in SHL it is very likely you created same MAC address over and over again within different groups. Very bad for Day-2 operations guys if they need to do cleanup

    2) In Guest you can set expiry date for a MAC. A MAC in Guest Device repo is treated as an account, so it can has expiry date, and we can prolong the expiry date whenever the MAC successfully authenticated. This can be configured easily via an attribute in one of the Enforcement Profile post-authc type.




  • 11.  RE: CPPM Static Host Lists and Role Mapping Policy

    Posted Dec 22, 2023 08:08 AM

    It's true, you can't search for role out of the box. But with some small adjustments of the form you will be able to have the role as a column and also searchable.

    The Manage device view is mac_list.php as seen below, this is the default view.

    To add Role as a column and make it seachable do the folowing:

    Navigate to Configuration\Pages\List views and select mac_list

    Click Edit Fields

    You will now see a list of attributes in the vlist view, role is one of them, but not enabled. Click role_name and Enable Field.

    The row will now be in bold, indicating it's enabled in the list.

    Now click Edit under role_name, make sure to not click Edit Base Field as this will edit the default role_name attribute in the database instead of the attributes in this view.

    Check the Advanced view options checkbox

    At the bottom of the list, check this checbox:

    Return to the Manage device view, the Role column is now visible.

    Search for a role:



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP 2023, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 12.  RE: CPPM Static Host Lists and Role Mapping Policy

    Posted Dec 22, 2023 09:19 AM

    In the immortal words of Homer Simpson - "DOH!".  We've had the Role field enabled for years to see it.  Never went into advanced to make it searchable.  This will make it a MUCH easier sell to allow me to switch to the Guest DB instead of SHL

    Thanks so much!  That was great info!!!!