Security

Hi All,

 

Just wanted to you ask you guys a few questions with regards to Aerohive wireless and Clearpass.

 

I am doing an install this week, which involves setting up machine authentication for devices that connect to Aerohive wireless.

 

Can you confirm for me why we need to add a custom attribute ? What is the significance of this issue and is it needed?

The way I have machine authentication setup at the moment is to validate that the user has a valid computer account and if they have a valid username and password. Is this enough?

 

In my enforcement I only want to send back a VLAN ID by using the Radius filter ID attribute. Would this work or would I need the other attributes mentioned in the other posts?

 

I look forward to hearing from you guys.

Which custom attribute are you referring to?

 

With Aerohive, you can return back a value using standard IETF filter-ID which can be used as the role by the AP.

 

Hi,

 

I was checking if I needed the following attributes as referred to on other posts:

 

Tunnel Mode Type

Tunnel Type

Tunnel Private Group-ID

 

All I done was return the filter-id value back to the AP's. This seems to be working fine.

 

I am also setting up machine authentication for this deployment. This is working fine, but can you confirm why I need to configure "Boolean" attribute what will not work if I do not have this?

 

 

 

 

 

The Tunnel attributes are used if you want to return back a VLAN name.

 

Regarding the endoint attirbutes, they're not needed for basic setups. Custom attributes can be used in more advanced setups where context is required from both identities.

Hi,

 

Sorry for the late reply on this.

I still need a bit of help with this install.

 

I am still having a bit of trouble with Machine and User authentication.

I aim to give you all the information here so you can guide me.

 

Authentication Scenarios

Staff Machine, which is logged into by a Staff user. They are getting the Staff VLAN, which is working fine.

Student Machine with a Student laptop it is getting Staff VLAN instead of Student.

Non-Staff machine should go into Staff VLAN i.e should be user authenticated. It asks for username and password and access tracker shows a timeout. This is falling into the default Clearpass role of other and Enforcement is matching the default deny access profile.

Student logs into Staff machine and should go to the guest VLAN. This is going to the staff VLAN instead.

Student logs into Student domain machine. This should go to the student VLAN, but instead is going to Staff VLAN.

 

I have attached a copy of the roles and enforcement configuration.

 

In my enforcement profiles I am only sending the filter ID value back to Aerohive, which is the VLAN ID.

 

Hope you can point me in the right direction.

Hi,

 

Sorry for the late reply on this.

I still need a bit of help with this install.

 

I am still having a bit of trouble with Machine and User authentication.

I aim to give you all the information here so you can guide me.

 

Authentication Scenarios

Staff Machine, which is logged into by a Staff user. They are getting the Staff VLAN, which is working fine.

Student Machine with a Student laptop it is getting Staff VLAN instead of Student.

Non-Staff machine should go into Staff VLAN i.e should be user authenticated. It asks for username and password and access tracker shows a timeout. This is falling into the default Clearpass role of other and Enforcement is matching the default deny access profile.

Student logs into Staff machine and should go to the guest VLAN. This is going to the staff VLAN instead.

Student logs into Student domain machine. This should go to the student VLAN, but instead is going to Staff VLAN.

 

I have attached a copy of the roles and enforcement configuration.

 

In my enforcement profiles I am only sending the filter ID value back to Aerohive, which is the VLAN ID.

 

Hope you can point me in the right direction.

Hi,

 

Sorry for the late reply on this.

I still need a bit of help with this install.

 

I am still having a bit of trouble with Machine and User authentication.

I aim to give you all the information here so you can guide me.

 

Authentication Scenarios

Staff Machine, which is logged into by a Staff user. They are getting the Staff VLAN, which is working fine.

Student Machine with a Student laptop it is getting Staff VLAN instead of Student.

Non-Staff machine should go into Staff VLAN i.e should be user authenticated. It asks for username and password and access tracker shows a timeout. This is falling into the default Clearpass role of other and Enforcement is matching the default deny access profile.

Student logs into Staff machine and should go to the guest VLAN. This is going to the staff VLAN instead.

Student logs into Student domain machine. This should go to the student VLAN, but instead is going to Staff VLAN.

 

I have attached a copy of the roles and enforcement configuration.

 

In my enforcement profiles I am only sending the filter ID value back to Aerohive, which is the VLAN ID.

 

Hope you can point me in the right direction.

Please see attached

But you need to use a VLAN enforcmenent, not filter ID. Filter ID is used to return the group name (optional).

Also, it's generally not recommended to flip VLANs like that.

Thank you for your response. 

 

I shall change this to a VLAN enforcement. 

Can you confirm if my conditions are fine i.e my roles and enforcement for the scenarios I described? Did you see my roles and enforcement attachments. 

(Also i'm not sure if my previous post posted around 5 times if so I am sorry as when I was refreshing the page my new post would disapper)

VLAN enforcement is working much better now for me.

 

I have two other problems now:

 

First problem:

Student logs into the student machine and end up in the student VLAN, which is working fine. Student then logs off the student machine and Staff logs onto the Student machine, but the machine remians in Student VLAN.

 

I do not see another request come into Clearpass when this happens. Also, when the user manually disconnects from the SSID and re-connects I then I do see a request in CPPM, but they still end up in Student VLAN.

 

To troubleshoot this further I have asked them to do the following:

On the wireless profile Enable single sign on and select the option to perform immediatley after user logon.

 

I have also asked them to re-arrange the role-mapping so that the Staff roles are at the top and in the service to make sure the Staff AD is at the top.

 

Do you know if that will work or would I need to do something else?

 

The other problem is student BYOD devices that are connecting:

 

Students connect with their BYOD devices, but get rejected as it says user authentication failure. But when student send the username in the format of:

student\65262827 - this then works

 

The problem is that student do not know they have to connect with student\.

Is there anyway Clearpass can imbed the student\ in the request?

or in CPPM do I need to replace the filterquery in the authentication source to look at samAccountName?

If so, please let me know what the query should look like ?