Security

last person joined: 19 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

802.1x Authentication based on AD group + ClearPass - Design question

This thread has been viewed 5 times

  • 1.  802.1x Authentication based on AD group + ClearPass - Design question

    Posted Mar 04, 2020 03:14 PM

    Hi all, 

     

    I running into a design issue, let's say I have approx 1500+ remote branches and all of them are querying CPPM for "employee" radius authentication.  Management wants to limit the access to wireless, so employees are put in an especial OU in order to be granted access to WiFi.  The issue is that those OU's are isolated locally to each office, e.g.. branchOffice_a, branchOffice_b OU and so on, that means I would have to have a role mapping for every single office.  

     

    I would like to hear from others as how they were able to circumvent this issue. 

     

    Thank you in advance.  

     

    Cheers! 

     



  • 2.  RE: 802.1x Authentication based on AD group + ClearPass - Design question

    EMPLOYEE
    Posted Mar 04, 2020 03:40 PM

    Who besides your employees are in active directory?



  • 3.  RE: 802.1x Authentication based on AD group + ClearPass - Design question

    Posted Mar 12, 2020 11:15 AM

    Just employees and we have about 20K employees throughout the branches.  Management doesn't want to allow every employee with a laptop access to corp wifi, so then created OU's groups for each branch where the local IT is in charge of adding users once they obtained approval.  



  • 4.  RE: 802.1x Authentication based on AD group + ClearPass - Design question

    EMPLOYEE
    Posted Mar 05, 2020 03:26 AM

    Would it be possible to use OU Contains 'CN=WiFi,', if you have that as part of the OU path?

     

    Or put the users in a Windows Group instead of (or in addition to) in a specific OU?



  • 5.  RE: 802.1x Authentication based on AD group + ClearPass - Design question

    EMPLOYEE
    Posted Mar 05, 2020 04:59 AM

    Just changing the discussion slightly: Assuming you are doing TLS then assuming the certificate is valid then we can authenticate the user without explicitly knowing the OU. Granted if you wanted to have more granular role control (ie Authorization) then we would need to validate the OU.



  • 6.  RE: 802.1x Authentication based on AD group + ClearPass - Design question

    Posted Mar 12, 2020 11:19 AM

    no, we are not using TLS yet.  



  • 7.  RE: 802.1x Authentication based on AD group + ClearPass - Design question

    Posted Mar 12, 2020 11:18 AM

    no they don't, but that's not a bad idea.  You meant having OU's start with CN=WiFi and then use a wild card? wonder if I can do that condition on a role mapping in CPPM?? 



  • 8.  RE: 802.1x Authentication based on AD group + ClearPass - Design question

    Posted Mar 13, 2020 04:15 AM

    Hi,

     

    One way to deal with it could be to retrieve the user DN as an authorization attribute then match it against a specific pattern. Assuming the location OUs have some kind of repeated naming pattern.

     

    Example:

     

    Lets say you get this user DN from the AD authz source: "cn=Jim Smith,ou=branchOffice_a,ou=West,dc=Domain,dc=com"

     

    Then your role mapping rule could be something along the lines of:

     

    Authorization:AD:DistinguishedName CONTAINS "branchOffice_"

     

    or something more precise like:

     

    Authorization:AD:DistinguishedName MATCHES "cn=[\w\s]+,ou=branchOffice_\w,dc=Domain,dc=com"