Security

Reply
Highlighted
All-Decade MVP 2020

Re: ClearPass EAP TLS configuration

Hi Troy,

 

I wanted to follow up on this post to see if there are additional checks in CPPM 6.3 if an AD account is active or disabled?

 

Thanks!

 

-Mike

Highlighted

Re: ClearPass EAP TLS configuration

Yes when you auth with TLS to cppm will check to also see if the account is still valid. Even though you are using a cert the username is still embedded in the cert.

 

Its been awhile since I have tested it. In older versions you would have to manually configure it but I believe in later versions of 6.2 it is built in. 

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Highlighted
All-Decade MVP 2020

Re: ClearPass EAP TLS configuration

Hi Troy,

 

I have a customer install of 6.2.5 and I'm not able to get it to work. I've disabled the acocunt in AD, cleared the AD source cache, and it's still able to log in.

 

I'll play around with it over the next few days. I've also asked a TAC engineer to take a look, so we'll see. I'll post an answer on here if / when I find something.

 

-Mike

Highlighted

Re: ClearPass EAP TLS configuration

So there are two parts here.

 

Account Acctive or account disabled.

 

For account active:

 

 “accountExpires”,  Two paths —>

 
1. For MSCHAPv2 or PAP or any of those things - the authentication will fail - i.e. the AD will deny the transaction. Given this, the authentication will fail and as a result, an ensuing RADIUS Access-Reject from CPPM
 
2. For “authorization” purposes - say, a BYO appears with a TLS certificate that’s still valid, but the AD account behind it has expired. An authz check will work, given the account still exists, but has simply expired. Given this, we had to add a check to look for the expiry status, and compute that into “normal” date-time values (instead of nano-second ticks since 1600 A.D.)
 
Account Disabled:
 
You’ll need to use the LDAP filter —>
 
(&(sAMAccountName=%{Authentication:Username})(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
 
There is a how-to on arubapedia. I updated the class so partners can see it but it will take a day for it to show up. 
 
Search: 
 
How to: Enforce Account Disabled with AD when using TLS Certificates
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Highlighted
All-Decade MVP 2020

Re: ClearPass EAP TLS configuration

Troy,

 

Awesome! It took me a little bit to figure out since this isn't an area that I often touch. I'm going to put your information together with my post from a few months back. I'm writing up the below so I don't forget:

 

Here's the full steps to pull it off:

 

Go to Configuration > Authentication > Sources > "Your AD Server"

 

1. Click on the "Attributes" tab

2. Click on "Add More Filters"

3. Click on the "Configuration" tab

4. Under "Filter Name" enter something relevant for you. I'm going to call it ToP-Test2

5. Under "Filter Query" enter the following:

 

(&(sAMAccountName=%{Authentication:Username})(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

 

6. Under "Name" enter the following: sAMAccountName

7. Under "Alias Name" enter the following: ToP-ActiveAccount

8. Under "Data Type" select "String"

9. Under "Enabled As" check the "Attribute" box

 

Go to the Wireless 802.1X service under Configuration > Services > "Your 802.1X wireless service" 

 

1. Go to Roles > Modify the Role Mapping for this service

2. Go to Mapping Rules > Click on "Add Rule"

      i. Type = Authorization:AD

      ii. Name = ToP-ActiveAccount

      iii. Operator = NOT_EXISTS

      iv. Role Name = "Deny All"

      v. Click "Save"

3. Go to Enforcement > Modify the Enforcement Policy

4. Go to Rules > Click on "Add Rule"

      i. Type = Tips

      ii. Name = Role

      iii. Operator = EQUALS

      iv. Value = Deny All

      v. Enforcement Profiles > Profiles Name > [RADIUS] [ Deny Access Profile ] 

      vi. Click "Save"

5. Move this Enforcement profile to the top of the list and click "Save" in the bottom right-hand corner

 

To verify that it is working, go to Access Tracker > Input > Authorization Attributes. Active AD accounts should appear as the sAMAaccount username to the right of something similar to "Authorization:Windows-2012:ToP-ActiveAccount." A disabled account in AD will not be present.

Highlighted
New Contributor

Re: ClearPass EAP TLS configuration

Hi,

     I did the same configuration except not using role mapping policy. I directly use account status to decide which enforcement policy to apply. However, user was able to get connected even the account disabled. I checked the access tracker and found out that there was nothing for input tab> authorization attribute except authorization:userDN = "".  I did enabled authorization for the service and put AD as additional source of authorization. Please advise.

 

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: