Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

NATing certain users on Guest to a particular address/subnet AOS/ClearPass/Fortigate

This thread has been viewed 25 times
  • 1.  NATing certain users on Guest to a particular address/subnet AOS/ClearPass/Fortigate

    Posted Sep 15, 2023 01:50 PM

    Hello,

    We run a captive portal Guest SSID which is set up on ClearPass (social login (including Azure) or self-reg). Our AOS cluster (with conductor and standby conductor) is running 8.10.0.8

    We have a requirement to treat a subset of our Guest users differently (probably by S-NAT'ing them to a specific address(es)), this is to allow those particular users access to journals that have IP based access restrictions (not our design!)).

    Identifying them is no problem - they are members of a particular group in Azure AD, so our plan was for the ClearPass service to match on that group and give them a special role, and then use a NAT rule in that role on AOS to have the controller NAT them. However we must log the translations and we aren't sure if AOS will do that (we also need to keep those records for 90 days). Does anyone know if that logging is possible on AOS?

    If AOS can't do this for us then another possibility might be to see if ClearPass can integrate with our Fortigate firewall in a dynamic per-user way that could achieve the same result - does anyone have any experience of doing something like that?

    Or we're certainly open to other suggestions. At the moment our default fallback will be to broadcast a separate SSID for these users, which would do the job, but we'd prefer to avoid if we can.

    Guy



  • 2.  RE: NATing certain users on Guest to a particular address/subnet AOS/ClearPass/Fortigate

    EMPLOYEE
    Posted Sep 15, 2023 10:49 PM

    I think you should be able to perform the action src-nat and then use extended action of "log"

    ip access-list session <accname>
    <source> <dest> <service> <action> [<extended action>]
    ipv6 <source> <dest> <service> <action> [<extended action>]

    you can refer to the CLI user guide here 

    search for "ip access-list session"



    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------



  • 3.  RE: NATing certain users on Guest to a particular address/subnet AOS/ClearPass/Fortigate

    Posted Sep 16, 2023 04:14 AM

    Thank you, I'll give that a try and see if the logging includes what we need.




  • 4.  RE: NATing certain users on Guest to a particular address/subnet AOS/ClearPass/Fortigate

    Posted Sep 17, 2023 12:54 PM

    As ariyap has mentioned you can use a source NAT policy at the end of the new guest user role, enable log to have the ACL hits logged.

    Since you are doing the authentication on ClearPass, you may want to configure a ClearPass Insight report. This should give you much more information / accounting. 




  • 5.  RE: NATing certain users on Guest to a particular address/subnet AOS/ClearPass/Fortigate

    Posted Sep 18, 2023 05:23 AM

    Thanks, I'll try that. 

    Are there any instructions on how to set the S-NAT up? Does the NAT pool just need to be a routable IP address(es)? Does that address need to exist on the controller(s)? I created a pool which is just a single unused address that is in the same range as the controller IP (for testing only), there is no interface using that address anywhere.

    I've looked at the user guide but it doesn't really go into any detail (unless I was looking in the wrong place). I have added a rule in the ACL for the user role like:

    user any any src-nat pool my-pool_snat log

    I get an IP address but then there's no connectivity, and there's no evidence that NAT is happening. But I might be doing this all wrong!