This is an illustration of a recent scenario during the implementation process for one of our customers.
Customer Requirements:
Solution
- Use ClearPass Onguard Persistant Agent as NAC solution for the following devices:
- Domain Windows Laptops
- Non-Domain Windows Laptops
- Mac OS X
- How to distribute the Onguard Persistent Agent based on the device type:
- Domain Windows Laptops : Distribute the Onguard Persistent Agent using a Windows Group Policy (GPO)
- Non-Domain Windows Laptops and Mac OS X : Redirect the user to a Captive Portal page to download the Onguard Agent
- Allow users with Non-Domain Devices to Bypass the Captive Portal page to download the Onguard Agent and provide Internet Only Access
Software Requirements:
- ClearPass:
- Policy Manager License
- Guest Module License
- Onguard Module License
- Version 6.3.6.x and Up
- Aruba Controller
- Version 6.4.2.1 and up
- Aruba Policy Enforcement Firewall License
To accomplish this I will use the following ClearPass features:
- Endpoint Database (Custom Attributes)
- Post Authentication Enforcement Profile
- Insight Repository (Successful-Login-Count)
- Web-Login (Server-Initiated)
FLOWCHART:
Note: This flowchart only includes the logic for the Agent Bypass configuration
CLEARPASS CONFIGURATION
1 - Endpoint Custom Attributes
We can use custom attributes to tag devices and then use that tag to make a decision on the enforcement policy
1.1 - Create attribute BYPASS-ATTR that will be use to tag the device if the user decides to bypass and not download the Onguard Agent
2 - Post Authentication Enforcement Profile
The post authentication enforcement profile allows us to make updates to certain/devices and in this case to the endpoint database , we will create two post auth enforcement profiles:
2.1 - The BYPASS-ATTR-UPDATE will add the BYPASS-ATTR=Yes to the device during the WEBAUTH when the user bypass the installation of the Onguard Agent
2.2 - The NO-BYPASS-ATTR-UPDATE will add the BYPASS-ATTR=No , the first time the device connects past 12AM which in this case the user will be redirected to download the Onguard Agent.
3 - Web Login Page
This will be the page we will use to redirect the users to download the persistent Onguard Agent.
3.1- Create a Web Login Page with the following :
- Server-Initiated login method , the web authentication will be processed by the ClearPass server but in order for this to work the mac address of the device needs to be included in the browser
- Anonymous Login (Creates a Guest Account with no limits)
- The page will present which Onguard Agent to installed based device OS (Mac or Windows)
- Custom button "EXTERNAL"
- Assign a Login Delay of 25 seconds to give time for the CoA/PostAuth Attributes that is added during the WEBAUTH service and 802.1X Reauth to occur
Note: Once the Web Login is created the guest account will show up in the guest user repository , make sure that this account doesn't get deleted
4- Web Auth Service
The web auth service will be use to do the following:
- Do a successfull authentication using the Anonymous Guest Account
- Tag device with the BYPASS-ATTR-UPDATE-PROFILE / BYPASS-ATTR=Yes
- Perform a CoA
4.1 - First we need to define the Guest User Repository as the Authentication Source and use it as an Authorization Source
4.2 - In the WEBAUTH Role Mapping we will label the Anonymous Guest Account with the tips BYPASS-ROLE (This portion is OPTIONAL) , I used this method because it makes easier when troubleshooting in access tracker and determine what logic should be applied based on the label
4.3 - Use the tips BYPASS-ROLE as a condition to apply the Post Auth Enfocerment Profile and the CoA
5- 802.1x Auth Service
The 802.1x Auth Service will be use for the following purposes:
- Authenticated 802.1x capable devices and provide access based on the posture and type of device.
- Redirect a NON-Domain device (Windows/Mac OSX) to download the agent if these have an "UNKNOWN" posture and connected to wireless network for the first time since 12AM.
- Provide Internet Only Access if the device bypassed the Onguard Agent page and has been connected more than once since 12AM.
5.1 - The PERSISTENT-ONGUARD-PROFILE Radius enforcement profile will be use to send back to the controler the Aruba-User-Role = PERSISTENT-ONGUARD-CP-ROLE and this controller role will allow the user to be redirected to the Onguard Agent Download Page
5.2 - The INTERNET-ACCESS-PROFILE Radius enforcement profile will be use to send back to the controler the Aruba-User-Role = INTERNET-ACCESS-ROLE and this controller role will be use for users that bypass the Onguard Agent download page
5.3 - 802.1x Role Mapping will be use for the following purposes:
- Label the device with a Successful-Login-Count ≤ 1 with the FIRST-LOGIN-PAST-12AM tips role
- Label the device with a Successful-Login-Count ≥ 2 with the NON-FIRST-LOGIN-PAST-12AM tips role
- Label the device tagged with the BYPASS-ATTR = Yes with the BYPASS-ROLE tips role
5.4- The 802.1x Enforcement Policy uses the following logic :
- Third Rule: A brand new NON-Domain Computer (Windows or Mac OSX) with an "UNKNOWN" posture will be redirected to the Onguard Agent Download Page.
- First Rule: If the user decides to Bypass the Onguard Agent Download Page then the user will get the Internet Only access user-role.
- Second Rule: When a user connect using a device tagged with the BYPASS-ATTR=Yes , comes back and authenticates for the first time after 12AM it will be redirected to the Onguard Agent Download Page.
6- Validation
6.1 - A brand new NON-Domain Computer (Windows or Mac OSX) performs an 802.1x authentication and it has an "UNKNOWN" posture it will be redirected to the Onguard Agent Download Page.
6.2 - The user is presented with the Web-Login (Server-Initiated) / Onguard Agent Download Page.
6.3 - Once the user clicks on the "EXTERNAL ACCESS" button it will initiate the WEBAUTH with the Anonymous Login using the Guest Account=72306207, there's also a "25 Seconds" Delay that is added to the Web Login so there's enough time for the whole process to complete.
6.3.1- Here's closer look at some of the details of WEBAUTH request from the Summary Tab
6.4- When the BYPASS-ATTR=Yes tagged device performs the 802.1x reauth it will receive the Internet Access only user-role