Security

We're migrating from Alcatel-Lucent switches with local mac authentication to centralized Clearpass 802.1X. Now, every switch has its own database of macid's of which probably 50% are no longer in use.

Our Corporate wired users will be required to authenticate using 802.1X and devices that are not capable of doing so, will fall back to MAC authentication (CP static host lists).

To ensure a seamless migration, we're required to add all known MACID's to Clearpass static host lists, so a lot of garbage we want to get rid of.

 

Is there a way to automatically remove MACID's from the static host list that aren't used in the past 2 months? We're also looking for a way to add a description to a MACID so management and troubleshooting is easier. All suggestions are welcome, thanks!

You should use the guest device repository instead of SHLs. The GDR can be automatically pruned.

Cappalli,

 

Thanks for that, management of that database seems far better!

However, the authentication isn't yet working and here's why I think it fails:

 

The user-name is the MACID without dashes and the one in GDR is with dashes so it doesn't match. In our static host list service, we used the calling-station-id to overcome that problem, but how do I manage that with GDR?

 

EDIT:

Tested this theory with policy simulation and it only works when the username (MACID) contains dashes. Not sure how I can fix it yet..

 

EDIT2:

Authentication works when I set the account as expired without messing with dashes. I'll pick this up on monday.

Just change the format in the MAC-auth profile on the controller.

Thanks Tim,

 

We'll go for authenticating with an external SQL database to save some guest licenses.

The guest device repository does not consume guest licenses.

Ok, we just assumed that it would.. nice!

 

Is there a way to only purge devices in the device repository, not guest repository? We want to remove a macid when it's not authenticated in 2 months but that rule shouldn't apply for guest users.

I don't believe so. Why not just leave them there until the guest user
prune?

The MACID's we want to authenticate with are primarily non-802.1X  industrial devices that are plugged in for years to come so we want to add them without expiry date. We already use mac authentication but locally on each switch so the list of macid's is huge and hard to manage.

 

So we're looking to either delete inactive (GDR) devices if not authenticated in 2 months to clean up garbage from the past. I found that you can query endpoints.auth_at in insightdb so the information is there.

We decided to use the GDR without automatic cleaning of accounts so I started with configuration.

 

I created a service which checks if the device is still enabled and the guest type is set to device, that works fine.. I'm now stuck at retreiving the role id. I see you can fetch it from tips_guest_users.attributes but I'm not sure how because it's only a part of the string I need and contains "Role ID": "3" doesnt do the job.

 

Should the attribute Role ID in endpoints update when the device is created? Now it's not and I have no idea how my role mapping rules should look like to retreive the role id.

In your role mapping are you calling the GuestUser > Role ID > 3 > Tips Role

Yes I do but it doesn't match. I'm not sure where this information is stored in the database but the role ID isn't shown in the endpoint table either.

 

I do find it here: tipsdb -> tips_guest_users -> attributes

 

String: "{"mac": "00-0A-9C-4E-24-F9", "source": "mac_create", "Role ID": "3", "mac_auth": "1", "do_expire": "4", "no_portal": "1", "Create Time": "1470650104", "no_password": "1", "remote_addr": "172.25.128.181", "Visitor Name": "PDU", "airgroup_enable": " (...)"

 

 

 

 

Do you have the Guest Device Repository as an authorization source ?

Yes, I have with some custom filters applied to the source:

 

SELECT tips_guest_users.enabled, tips_guest_users.user_id, tips_guest_users.guest_type, tips_guest_users.attributes FROM tips_guest_users WHERE user_id = '%{Connection:Client-Mac-Address-Upper-Hyphen}'

 

I query those to check if it's enabled and if it's a device. Only thing that's missing is the role.

If you go to the Guest Device Repository can you see the device register with the correct TIPs role under details?

Yes,

 

Both the role ID and role name are displayed correct

 

You shouldn't need those custom attributes. AccountEnabled is already build into the GDR auth source. I would use that one.

 

To get the role ID in the GDR auth source for use during authorization, add a custom attribute:

 

SELECT tgu.attributes->>'Role ID' AS role_id FROM tips_guest_users as tgu WHERE tgu.guest_type = 'DEVICE' AND tgu.user_id = UPPER('%{Connection:Client-Mac-Address-Hyphen}')

That's exactly what I was looking for, thanks!