Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Checking for registered guest device as part of wired mac auth connectivity

This thread has been viewed 2 times

  • 1.  Checking for registered guest device as part of wired mac auth connectivity

    Posted Sep 04, 2018 10:30 AM
      |   view attached

    Having got the ClearPass Guest device registration page set up and working, we now want to allow registered wired games consoles to be placed into a "games vlan" on a switch. I do this by assigning a "UoY Game Device" Role to the device and using this in the Enforcement policy.

     

    In my Service I've added [Guest Device Repository[ Local SQL DB to the Authorization section of my service and then added 

     

    (Authorization:[Guest Device Repository]:AccountStatus  EQUALS  1
    AND  (Authorization:[Endpoints Repository]:Category  EQUALS  Game Console) ........

     

    to the Role Generation  section 

     

    In Clearpass Guest ( see attached file you can see an AcountStatus set to 1

     

    However, in Policy Manager, for this devices Authenticatication I see

     

    Authorization:[Guest Device Repository]:AccountStatus0
    Authorization:[Guest Device Repository]:RemainingExpiration31535121
    Authorization:[Guest Device Repository]:SponsorNamecsrv107

    So one end says Acount Status=1 while the other says Account status=0

     

    A



  • 2.  RE: Checking for registered guest device as part of wired mac auth connectivity

    Posted Sep 04, 2018 11:02 AM

    Hmmm looking at the Policy Manager / Authentication/Sources/[Guest Device Repository]/ Attributes

    there is a Filter caled Authentication which returns Sponsor Name, Account expiration and  AccountStatus.

    The associated SQL is 

     

    SELECT user_credential(password) AS User_Password,
    CASE WHEN enabled = FALSE THEN 225
    WHEN ((expire_time is not null AND expire_time <= now())) THEN 226
    ELSE 0
    END AS Account_Status, sponsor_name,
    CASE WHEN expire_time > now() THEN CAST(EXTRACT(epoch FROM (expire_time - NOW())) AS INTEGER)
    ELSE 0
    END AS remaining_expiration
    FROM tips_guest_users
    WHERE ((guest_type = 'DEVICE') AND (user_id = UPPER('%{Connection:Client-Mac-Address-Hyphen}'))

     

    So can't see how this gets back the Account Status entry for the guest device



  • 3.  RE: Checking for registered guest device as part of wired mac auth connectivity

    Posted Sep 05, 2018 05:51 AM

    Argh!!!!!

    So the key bit is

     

    SELECT user_credential(password) AS User_Password,
    CASE WHEN enabled = FALSE THEN 225
    WHEN ((expire_time is not null AND expire_time <= now())) THEN 226
    ELSE 0
    END AS Account_Status, sponsor_name,

     

    So bascially if a clearpass guest device is enable and good to go, AccountStatus=0

    If the clearpass giuest device is disabled , AccountStatus = 225

    If  the device is expired  AccountStatus = 226

     

    Stared at this for ages till it finally clicked, was thinking that Account status should be 1 for true!

     

    So in Policy Manager I've got The following. If devic not registered, or is expired it end up in our portal else dropped into correct vlan

    42.(Authorization:[Guest Device Repository]:AccountStatus  EXISTS   ) 
    AND  (Authorization:[Endpoints Repository]:Category  EQUALS  Game Console) 
    AND  (Authorization:[Guest Device Repository]:AccountStatus  EQUALS  0)    		UoY Games Device
     
     Back to Services