Security

Hi

 

We deliver a service with wireless network and authentication based on Aruba Instant and ClearPass to franchise companies.

ClearPass, Active Directory and common application servers are placed in a central network.

 

Franchise devices need to have different roles on depending on the usage in the local store.

Device type "A" should only be able to access internet and printers at the local LAN.

Device type "B" should have access to all resources on the on local LAN and also in the shared services network.

Only devices of these two types should be allowed to connect. Unclassified devices should be rejected.

Devices authenticates with username and password. Depending on the device type access rights should differ. Devices are not member of AD and devices can be IOS, Android etc

 

Defining roles with different firewall rules in IAP with ClearPass is easy.

 

My question is:
What would be the most convenient way of letting the local device administrator at each store to assign a device as type "A" or "B"?

I don't want to give these persons access to edit attributes in the Endpoints table. Because it's not possible to only filter out "his" devices.

 

OnBoard with different profiles would solve this, but the cost for OnBoard is to high for this customer...

 

Any ideas how to solve this is appreciated

 

Thanks

Jonas

You could use the Device Registration feature in ClearPass guest to allow the users to register a MAC address into a certain role.

Even though this lives in guest, it does not require guest licenses.


Thanks,
Tim

Will this implementation limit the device to do MAC authentication?

Or can I do username and password authentication and pick the role from the device entry in Guest Device Repository during authentication?

 

Otherwise I agree this is a god solution that will provide the local staff to add, edit and remove devices.

 

Regards

Jonas

You could continue to do 802.1X authentication and use the MAC registration
for authorization.

So, how do I implement this?

Will the device always get the assigned role during logon or do I need to configure role mappings to get this?

 

If the device always get the assigned role it's a easy task to pick this in the enforcement policy and return correct role attribute to IAP.

 

Regards

Jonas

Hi

 

I have added the device as a Guest device and assigned the role Contractor.

In the authentication service I have added Guest Device Repository as Authorization source.

In the Guest Device Repository authentication source I tried to att a new attribute role_name.

But I don't get that information in Event Tracker when the client connect.

 

Have I missed some essential steps?

 

Regards

Jonas

You should be able to use the role_id field which has an integer value which maps to a Clearpass Guest role as defined in the [Guest Roles] role mapping policy. By default [Contractor] is 1.

 

If you amend the authentication source you should be able to add the role_id attribute and then use this to determine the role.

Hi

 

I have tried to add the attribute, but I don't get the expected result.

Under Authorization attributes in Action Tracker I can only see the default attributes for Guest Device Repository.

In the Authentication source definition I have made the modifications according to the attached screen shot.

See attached pictures

Filter Query string have not been edited at all. Do I need to edit this?

 

Regards

Jonas

 

Yes the filter string would need to be amended to extract the role_id attribute as well:

 

SELECT user_credential(password) AS User_Password,
CASE WHEN enabled = FALSE THEN 225
WHEN ((expire_time is not null AND expire_time <= now())) THEN 226
ELSE 0
END AS Account_Status,
sponsor_name, role_id
FROM tips_guest_users
WHERE ((guest_type = 'DEVICE') AND (user_id = UPPER('%{Connection:Client-Mac-Address-Hyphen}')))

Hi

 

I tried the SQL query you sent, but I get this error message when I save:

The filter has been saved but has the following error: Invalid SQL syntax - ERROR: column "role_id" does not exist Position: 238

 

Do you have any advice how to proceed?

Regards Jonas

My apologies, it appears that role_id is not an element in the tips_guest_users database.

I'll have a think about how you would get around this.

With some assistance from TAC I got this solved.

The information is in Insight database.

 

Role assigned under ClearPass Guest add device can be read after updating Insight Repository with a new filter with the following SQL filter query:

select username, role_name, mac, sponsor_name, sponsor_email from guests where username='%{Connection:Client-Mac-Address-Hyphen}';

 

Also add an attribute like:

Name         Alias Name    Data type    Enabled As
role_name Role-Name    String          Role

 

In the Service add Insight Repository as Authorization source

 

Regards

Jonas