Security

 View Only
last person joined: yesterday 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Mac auth services for staff and BYOD

This thread has been viewed 31 times
  • 1.  Mac auth services for staff and BYOD

    Posted Sep 07, 2022 02:09 AM

    Hi All,

    We have integrated the Cisco controller with ClearPass. Configured 2 SSID's BYOD and Staff. Now I want to configure Mac auth service with Static host lists on ClearPass for staff and BYOD with separate services. below are the doubts

    1. Should I go with static host list or Guest device repository.
    2. when the specific user from BYOD or staff trying to connect should get the correct services.
    3. We have different controllers at diff locations with diff vendors like some location its cisco and some location FortiGate.
    4. Do i need to configured separate service for both cisco and FortiGate or common service will work for both.
    5. To register MAC addresses in Guest device repository can I go with manual way like first time user trying to connect and the mac addresses are in the access tracker we can whitelist. Or any other method we can on board the devices and save automatically in repo.

     

    Thanks



  • 2.  RE: Mac auth services for staff and BYOD

    Posted Sep 07, 2022 02:20 AM
    Hi

    You should use the Guest device repository instead of the static host list. Static host lists are still in ClearPass for compability reasons, byt they are not easy to work with.
    With the Guest device repository you can also create operator profiles with different privileges to manage different types of devices.

    As you have different vendors on your controllers you should use different services for them, this way you can return correct Enforcement profiles and correct CoA is you intend to use profiling.

    I do not fully understand the intention in point 5. Do you want all devices to be able to connect automatically, or should they register automatically?
    If you would like all devices to be registered in the Guest device repository you should be able to add a captive portal page for unregistered devices pointing to the add device page. Let the user be able to log in to get a operators profile with access to add the users specific device, and maybe a limitation on numer of devices to add.
    Send the MAC address as argument to the page, this way the user do not need to fill in the MAC address.

    ------------------------------
    Best Regards
    Jonas Hammarbäck
    ACCX #1335, ACMP, ACDP, ACNSP, ACEP
    Aranya AB
    ------------------------------



  • 3.  RE: Mac auth services for staff and BYOD

    Posted Sep 07, 2022 02:32 AM
    Hi Jonas,

    Thank you for your reply.
    Is there any article or document to configure the services.


  • 4.  RE: Mac auth services for staff and BYOD

    Posted Sep 07, 2022 02:56 AM

    Hi

    I don't think you will find a document describing your exact case with MAC authentication for both Cisco and FortiGate WLAN controllers.
    The services should have the Guest Device Repository as the authentication source.
    To ba able to select a custom role for devices added you must edit the default role mapping policy [Guest Roles]
    Add two new rules like:
    (GuestUser:Role ID EQUALS 10001) Staff

    (GuestUser:Role ID EQUALS 10002) BYOD

    In the Guest operator profile you need to grant the profile correct rights to one or both of these roles.

    Maybe staff should be able to add both types and consultants just the BYOD. That depends on your use case.

    In the MAC authentication services you should have a role mapping policy utilizing the roles assigned in the Guest device repository.
    As an example how to create the service, under Configuration \Service Template & Wizards use the template "Aruba Wireless with MAC Authentication with Device Registration". This template will create a service with both role mapping and enforcement policy. But for Aruba controllers.
    But the interesting part is to see how the role mapping policy and the different rules in the enforcement policy.
    You need to create a similar enforcement policy with unique enforcement profiles for Cisco and FortiGate.
    The role mapping policy can, and should, be the same. This way you only need to maintain one rolemapping policy and as the network should work on the same way regardless of infrastructure vendor you should have the same role mapping policy.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    ACCX #1335, ACMP, ACDP, ACNSP, ACEP
    Aranya AB
    ------------------------------



  • 5.  RE: Mac auth services for staff and BYOD

    Posted Sep 07, 2022 04:30 AM
      |   view attached
    Hi Jonas,

    Thank you for your information.
    One more thing i want know you. for cisco enforcement profile is this correct way to configure the attribute.


    Thanks

    Attachment(s)

    rtf
    Configration.rtf   33.60 MB 1 version


  • 6.  RE: Mac auth services for staff and BYOD

    Posted Sep 09, 2022 07:49 AM
    Hi ,

    I configured the service like below snaps. when user whose account status is active in guest device repository trying to connect to SSID and gets the correct service called and able to access to network. But when user's account got expired ,user is still able to connected . But when we turn ON/OFF the WI-FI then user got disconnected from the network as per correct service call.
    So, my query  is whether COA is not working properly or I need to add some more rule in policy.


    Service





  • 7.  RE: Mac auth services for staff and BYOD

    EMPLOYEE
    Posted Sep 12, 2022 08:42 AM
    Do you have the logout option set for expiration of accounts?

    .. and does a manual CoA (Change Status) work as expected for a client that is connected?

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 8.  RE: Mac auth services for staff and BYOD

    Posted Sep 12, 2022 11:08 PM
    Hi Harman,

    Logout option is already set for Disable at specified time. When accounts expired and we turn on/off wi-fi then ClearPass is terminating the access.



    Regards,
    Nilesh


  • 9.  RE: Mac auth services for staff and BYOD

    EMPLOYEE
    Posted Sep 13, 2022 04:44 AM
    Apologies, my screenshot was ambiguous, please set it to Disable and logout at specific time. The logout should trigger the disconnect, with just disable the client will remain connected.

    One other thing you could do is set the re-authentication timer (switch config or use IETF:Session-Timeout) to a lower value, so the switch will trigger regular re-authentications and block access after the account has been disabled. You could even return a Session-Timeout to the remaining lifetime of the account/device registration. How that is done depends on if you have guest user or device registration, if MAC Caching is used, etc... if you need this and can't find the proper documentation, TAC can help with this.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 10.  RE: Mac auth services for staff and BYOD

    Posted Sep 13, 2022 01:10 AM
    What is the use of "Airespace wlan-id attribute" in enforcement profile ?

    If you want to send CoA from ClearPass, just use pre-configured CoA profile in ClearPass.