Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Cisco VPN - iPad - endpoint check

This thread has been viewed 4 times

  • 1.  Cisco VPN - iPad - endpoint check

    Posted May 14, 2015 05:26 PM

    I'd like to allow iPads to connect to Cisco VPN using EAP-PEAP.  To keep non-corporate devices from connecting by using their credentials, I'd like to confirm some of the endpoint details.  Problem is, the wifi MAC is not sent in the RADIUS message, so the endpoint attributes are not shown.  I need to figure out how to identify the iPad when it connects so I can allow/disallow it.

     

    One thing I noticed is that the UDID of the iPad is sent as a Cisco AV Pair attribute.  I'm wondering if I could somehow leverage this.  The endpoint repository already has this attribute since ClearPass syncs with the devices' MDM server.  Is there anyway to take the AV Pair attribute from the request, search for it in the endpoint repository, and then confirm that device is enrolled in MDM?

     

    Other ideas are welcome.  Thank you.



  • 2.  RE: Cisco VPN - iPad - endpoint check

    EMPLOYEE
    Posted May 14, 2015 07:41 PM

    I don't have any way to test this, but here is my stab:

     

    Try creating a custom authentication source that checks the Endpoints Repository:

     

    compnerd-vpn.PNG



  • 3.  RE: Cisco VPN - iPad - endpoint check

    Posted May 14, 2015 08:24 PM

    Man, that looks like it would do the trick.  I'm away from the office until Monday, but will give it a shot then.  Will report back. Thanks Tim!



  • 4.  RE: Cisco VPN - iPad - endpoint check

    Posted May 18, 2015 05:09 PM

    Was I supposed to create a local SQL authentication source that mirrors the Endpoint Repository and copy/paste this in there?  If so, I'm getting an error about syntax being incorrect.  The other issue is the Cisco-AVPair from the VPN requests contains "mdm-tlv=device-uid=", with the UDID following.  So I need the filter to see if it contains the UDID, not a complete match.  Any thoughts?


    Thanks!



  • 5.  RE: Cisco VPN - iPad - endpoint check

    EMPLOYEE
    Posted May 21, 2015 07:43 PM

    Ah. We can't do authentication because you're doing an authorization. The attribute name doesn't matter (and probably should be called corpmacaddr), but just be sure to change it in the query.

     

    Try this:

     

    jay-ciscovpn-1.PNG

     

    jay-ciscovpn-3.PNG

     

    Then in your enforcment, just see if that attribute EXISTS.

     

    jay-ciscovpn-4.PNG

     

     



  • 6.  RE: Cisco VPN - iPad - endpoint check

    Posted Jun 04, 2015 09:26 AM

    Thanks Tim.  We're getting closer, but having an issue with the filter:

     

    WARN Util.ParameterizedString - getReplacedStrings: Failed to replace parameString =SELECT mac_address as corpudid FROM tips_endpoints WHERE '%{Radius:Cisco:Cisco-AVPair}' = 'mdm-tlv=device-uid=%{Endpoint:Device UDID}', error=No values for param=Endpoint:Device UDID
    ERROR ExtDB.DBQuery - execute: Failed to construct filter=SELECT mac_address as corpudid FROM tips_endpoints WHERE '%{Radius:Cisco:Cisco-AVPair}' = 'mdm-tlv=device-uid=%{Endpoint:Device UDID}'
    ERROR ExtDB.DBQuery - Failed to get value for attributes=Corp-UDID]

     

    I take it that the "Endpoint:Device UDID" portion is incorrect?  I tried other things like "Endpoint:Device-udid" and "Endpoint:UDID" but get the same result.  Is there some way to examine the tips db to determine what the actual parameter is?



  • 7.  RE: Cisco VPN - iPad - endpoint check

    EMPLOYEE
    Posted Jun 04, 2015 09:29 AM
    Can you look at a client in the Endpoints Repository and see what attribute
    is listed on the attributes tab?


  • 8.  RE: Cisco VPN - iPad - endpoint check

    Posted Jun 04, 2015 09:32 AM

    "UDID"