Security

last person joined: 2 days ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

ClearPass Design Question

This thread has been viewed 1 times

  • 1.  ClearPass Design Question

    Posted Apr 12, 2019 12:26 PM

    Hi all. 

     

    I've currently got ClearPass performing authentication for my various 802.1X networks, and I'm hoping to relocated my guest Captive Portal from the controller to ClearPass. I'm currently in the testing phase over here. 

     

    What I've gotten going so far, with a combination of TAC and PS, is this:

     

    A user connects to Guest and gets redirected to the CP page. They can click "I accept", in which case they end up in the CP_Guest role, or they can click "Employee logon", in which case they get redirected to another page. On that page they can login with their AD creds, and if successful, end up in the CP_Employee role. 

     

    Both roles actually dump people to the same VLAN, the only difference being that the caching time assigned to those who get CP_Guest is 24 hours, and the caching time assigned to those who get CP_Employee is one month. The session time for each role is also set so that CP_Guest's session is 24 hours, and CP_Employee's session is one month. 

     

    (The primary reason for this entire thing is that the #1 complaint about our wireless is employees complaining about having to sign back in every day). 

     

    And what I've got configured so far is actually working pretty well. I've just found one small problem: When someone in CP_Employee leaves campus, and then returns, they end up in the CP_Guest role. 

     

    The reason for this is that the Services are setup such that checking the MAC cache comes first, so that those who are already cached just get straight onto the Guest with no issue. Then, the next policy is the one that handles the Captive Portal page. 

     

    I guess my question would be...is there a way to set some flag or attribute such that when someone authenticates and gets into the CP_Employee role, that when they return and hit the MAC cache policy that attribute can be used as part of the conditions to determine which Role they end up in?

     

    Currently, this isn't really a big deal, since the primary objective of the length of the caching and session timers is working correctly, and CP_Guest and CP_Employee are currently only differentiated by the size of their bandwidth contracts. But it's always possible design decisions will change and we want to be able to process employees and guests separately. And, of course, I'd rather get this worked out ahead of cutting over to the ClearPass captive portal for production. 

     

     



  • 2.  RE: ClearPass Design Question

    Posted Apr 12, 2019 02:27 PM
    In the first place you can use the same login page for guest and employee access. The service within the policy manager is able to handle this when adding multiple auth sources. Bases on the authentication attributes you can push the correct role. Unless you have some specific requirements its not breder to create two pages.

    For mac caching some attributes will be written to the endpoints database. During a mac auth the endpoints attributes will be used to see if mac caching is allowed. You can save a specific attribute / valid to the a endpoint when the User is a employee. During mac auth valid this attribute.

    When using the wizard for guest mac caching I think this is done automatically. There is a attribute called guest role id. Value 1 is for guest and 2 for a employee.

    Please check the role mappings