Security

We are working on integrating out new AD environment into the CPPM.

 

I would like to change the way that we do our Role Mappings and Enforcement.

We are using EAP-MSCHAPv2 to do all our of domain user and domain computer authentication.

 

Computer authentication provides a user-role that has limited access to the network.

User authentication changes the user-role to provide additional network access.

 

We have some computers that need to be placed into different subnets. We are currently accomplishing this using a combination of Role Mappings. We assign the roles based on a custom attribute that we apply to the device in the Endpoints database. We went this route in the beginning because very earlier on we were having a lot of issues with machine authentication and after we fixed that, we never really adjusted any of our rules.

 

I have been thinking about using AD groups to organize the machines going forward and doing Role Mappings based on those group memberships.

 

I am just curious if this is a good approach or if there are better practises that I should be following.

 

Cheers

Yes, that's usually how I do it. You can also use AD attributes.

Thanks @cappalli!

 

I am glad that I wasn't completely out to lunch with my plan.

 

When you say AD attributes are referring to the attributes that are visible under the "Attribute Editor" when we view of the properties of user or computer object?

 

Sorry for ignorance, I am still learning AD :D

 

Cheers

Correct. You can add custom attributes to Active Directory or use existing ones (on top of groups and OUs). It rea`lly depends on how accurate the data is in your organization. I've found that organizations that use Exchange and Lync tend to have very consistent and up to date AD group membership, OUs and attributes.


For example, you could use the Department attribute to put a user in the correct subnet. The big thing with AD is ensuring that the data stays up to date. Many organizations now script this data from an ERP or HRIS system so it tends to be up to date and consistent formatting.

Many universities add custom attributes in AD for Class Year, advisor, student ID number etc.

You would just have to add the attribute in the AD authentication source.

Ah that makes sense!

 

That actually sounds like an interesting option.

It is similar to using the endpoints database with a custom attribute, except that you are using AD.

 

Very cool.

 

So I would assume that in our authentication source we would just have to add an attribute that pulls our custom attribute out of AD and makes it available to be evaluated?

Yes, you would just add it as an available attribute using a filter.

So awesome!

 

Thanks @cappalli for your advice.

 

I want to try and make sure we start out on the right foot.

 

We are extending our 802.1x coverage to switch ports as well so I want things to be as easily flexible as possible.

I was wondering if there was a way to carry forward certain Role mappings?

 

For instance, if I map a role based on a computer account that authenticates, can I carry that role forward if a user signs in on the computer and then authenticates against the CPPM? We were initially accomplishing this by using the endpoint database with a custom attribute.

 

I know that the [Machine Authenticated] role is available even when doing user authentication. But I need a role that is a little more specific.

 

The only solution I can think of is to just not do user authentication and only do machine authentication.

The down side is that my machine role firewall settings would need to be adjusted. Currently our machine roles on the controller are very limited.

 

Cheers

Yes, you can combine the custom role with [User Authenticated] and any other mappings.

What I am experiencing in my testing is as follows.

 

I have the wireless profile set to do user or machine authentication.

 

When I fire up the computer and the machine authenticates with its AD account it receives a special role based on an attribute I set in the AD.

 

When I sign in on the computer and the user authentication takes place, that role that was assigned at the time that the machine authenticated is now no longer available. This makes sense since the users account doesn't have the attribute that I specified.

 

So when I setup my enforcement I can't accurately place the machine/user into the appropriate VLAN.

 

Not sure if that makes sense.

 

I need some way of maintaining that role obtained by the machine account for when user authentication takes place.

You'd want to write that information to the endpoint database so you reference the data.

ooh boy!

 

Is that something that can be done dynamically?

I've never tried doing that, I think I remember someone mentioning that you can change the "Status" to "Known client" or whatever you want. But actually writing information to the database I don't know anything about it.

 

Maybe the forums will have some information on this.

Yes, you can update it every time the machine authenticates.

 

First, create a new Endpoint attribute under Administration > Dictionaries > Attributes.

 

 

Now create an enforcement profile to trigger the PostAuth attribute update.

 

 

 

Replace AD-Auth-Source-Name with the exact name of your AD authentication source and replace the Attribute with the exact attribute name that you are checking.

 

This will automatically populate the endpoint attribute you created with the data from the attribute in AD.

 

You can then add a role mapping rule that checks for Endpoint:Machine-Auth and maps the same TIPS role.

Sorry for my late response!

I was testing out your instructions and then got caught up in a bunch of other things.

 

Everything worked like amazingly well though!

I setup everything as per your instructions and was success at writing an attribute into the Endpoints database.

 

Everytime I think I know the CPPM I am reminded that I don't even know half of what it is capable of!

 

Thank you very much for your assistance!

On a bit of a side note. I was reading up on the option "Use Cached Results: Use cached Roles and Posture attribuates from previous sessions".

 

I only see it used in the example of MAC authentication.

 

When would you want to use this option?

 

The only time I use it is with OnGuard and guests.

I see..

I was doing I test with it but I might abandon it now.

 

I wasn't really sure of the use case for it.

 

I have a policy for user authentication that requires the [Machine Authenticated] role. What we found was that if the user puts their laptop to sleep to hibernates it, when they fire it back up and connect to the wireless their requests fail due to the lack of the [Machine Authenticated] Role. I believe the machines only authenticate at boot or if a user logs out.

 

I was thinking that perhaps this might be a solution to do. But now I am thinking it might not be.

It will be unreliable because there's a cache timeout and some users may exceed that.

I was thinking there must be something like that. I agree with you have it would be pretty unreliable.

 

The only other thing I could think to do is to do similar to what you helped me out with in the other scenario where I write a custom attribute to the Endpoints database.

 

At least now I can do it automatically.

 

-------------------------------------------- EDIT

 

I found this post.... forum post

I am wondering if I could use the option on the controller for "Enforce Machine Authentication" to get the machine to auth first followed by the user in the situation described above?

 

I have a feeling that it won't work.

You don't want to mix user/machine auth on the controller with clearpass

I figured.

I don't understand that setting enough in the controller to go about playing with it.

 

I will have to come up with another solution.

 

thanks for your help as always!

Did the endpoint attribute option not work?

The attribute solution did absolutely work for the other scenario that I had where I needed to have certain machines fall into specific VLAN. 

 

This new scenario with computer/user connections possibly not having the [Machine Authenticated] role is something new that popped up.

 

On my way home from work I was thinking I could query the Endpoint:Status attribute.

If I get a machine to authenticate I can change the status to known and use that to identify machines that are "authorized".

 

We are using EAP-MSCHAPv2 to authenticate so I want to make sure that when users connect they are connecting from company computers.

 

I am probably over analysising and missing something obvious.

 

 

You can also just check for the attribute you created before. Just use the "exists" operator.

That is true I could.

 

Although I only set that attribute for specific machines.

 

So on my Enforcement Policy that handles the computer authentication for the alternate VLAN I set that attribute. But for all others I currently do not.

 

It would appear as well that the attribute cannot be blank. It needs to be equal to something for it to be created in theEndpoints database. So if I were to use this across the board I would have to populate that attribute with some value for all computer accounts.

 

Which isn't a terrible idea, I could write a script to populate the attribute for all computer accounts.