Security

We have set up certificate based authentication via AirWatch for mobile devices and GPO for windows pc's. Cisco Meraki AP's in place. Everything was working well until we made changes to our role mappings for dot1x wifi. In order to pull valuble reports on Insights, we added roles (Device: Business Unit "equals" xxx) This allows us to sort devices based on BU as well as location. Our enterprise is enormous. Initially, roles were set to "select first match". We changed to select all matches. Either its a coincidence or this change has bricked some connections causing the device to either not connect to our ap's and is now letting personal devices (not managed with AirWatch) to auth using AD creds. ClearPass was previously set up by a ClearPass engineer. Any help would be greatly appriciated. 

It is possible that some of the policies rules may not be in the correct order or not defined with the proper tips role

Can you share the role mapping and policy enforcement

Sent from Mail for Windows 10

Roles:

bump

Hi Mitch,

 

first of all I'd say a change from first match to match all is a "dangerous action", if not knowing super precisely how the policy is designed/working.

 

Before your change each request was assigned only one role. Now it may be assigned more than one role. Since a line in enforcement policy is selected by assigned roles, this can have huge impact.

 

E.g. some user/device before may have been assigned the role "FGA Domain Access" only. Now, the same request may be assigned the two roles "FGA Domain Access" and "FGA Domain User Role". E.g. if device name is not "Windows XP".

 

Before, if none of the enforcement rules matched for role "FGA Domain Access", the request was denied.

 

Now, since that request also has role "FGA Domain User Role", suddenly line 7 of your enforcement policy will be evaluated. The request which was denied with "first match" setting will now be allowed, just because you changed to "match all".

 

You should check access tracker and compare the logins befor and after your change. You should see, which roles were assigned additionaly and which enformcement profiles were send to NAS based on these roles.

If my assumptions were right, afterwards you either can rework conditions in your role mapping, so that only one of the "FGA" roles will be assigned or change conditions in your enforcement policy so that having more than one of the "FGA" roles doesn't have negative impact. I prefere the latter.

 

Regards, Jö

As mentionned, the issue is because you changed the rules evaluation algorithm to "Evaluate All".

The Airwatch managed mobile devices were first matching condition #1 in the role mapping when part of Airwatch.

 

Now with Evaluate All, even without being managed by Airwatch, they fullfill the conditions on condition #5

from the role mapping and get tagged with "FGA Domain Users Role". Since they receive this tag, they are getting pushed

the according enforcement profile.

 

Going to Monitoring -> Audit Viewer will help you rolling back the changes if needed