Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

ClearPass unauthenticated users enforcement

This thread has been viewed 11 times

  • 1.  ClearPass unauthenticated users enforcement

    Posted Apr 17, 2012 09:47 AM

    i'm looking at a scenario where i want to do something (assign a VLAN) to users which don't show up in any of the authentication sources. is there anything special i have to do to make this happen?

     

    i would assume that just having an enforcement profile that does this as the default should be enough. or is the fact that the authentication lookup part fails the cause this doesn't work?



  • 2.  RE: ClearPass unauthenticated users enforcement

    EMPLOYEE
    Posted Apr 17, 2012 10:17 AM

    Instead of using the default enforcement profile of "deny access profile," just create a new one. Use that enforcement profile as the default to put them on an "all else fails" vlan. In my example below, I created a Profile called "Guest_VLAN." If a user fails auth, they get this vlan.

     

    cp_enf_def_profile.JPG



  • 3.  RE: ClearPass unauthenticated users enforcement

    Posted Apr 17, 2012 11:48 AM

    that is pretty much what i did, and I did get the enforcement profile I expected to see at the Access Tracker > Request Details > Summary when checking with a random none existing user.

     

    but it does show the line as REJECT in the Access Tracker and there are warnings about the user not existing in the checked authentication sources (which makes sense of course). when looking at the 802.1x authenticator device i see it gets an Access-Reject message.

     

    what could cause this if it should work in principle?



  • 4.  RE: ClearPass unauthenticated users enforcement

    Posted Apr 18, 2012 05:17 AM

    ok riddle me this, created the most basic wired service, need an authentication source so used the local db and gave it a default access allow enforcement profile.  but still the request ends up at the access tracker as REJECT and i guess therfor a Access-Reject is send to the 802.1x authenticator, making access impossible.

     

    Access Tracker shows correct enforcement profile

    Enforcement Profiles:[Allow Access Profile]



  • 5.  RE: ClearPass unauthenticated users enforcement

    EMPLOYEE
    Posted Apr 19, 2012 11:44 AM
    @boneyard wrote:

    ok riddle me this, created the most basic wired service, need an authentication source so used the local db and gave it a default access allow enforcement profile.  but still the request ends up at the access tracker as REJECT and i guess therfor a Access-Reject is send to the 802.1x authenticator, making access impossible.

     

    Access Tracker shows correct enforcement profile

    Enforcement Profiles:[Allow Access Profile]

    Right, if you set the default to Allow Access Profile, it will use that profile if it fails. So, you always want some sort of deny or guest as the default.

     

    As far as why it didn't work, I'd have to see the full output. Can you post the logs from the failed access request? You can get these by clicking the "Export" button in Access Tracker after clicking on the failed attempt.



  • 6.  RE: ClearPass unauthenticated users enforcement

    EMPLOYEE
    Posted Apr 19, 2012 11:50 AM
    @boneyard wrote:

    that is pretty much what i did, and I did get the enforcement profile I expected to see at the Access Tracker > Request Details > Summary when checking with a random none existing user.

     

    but it does show the line as REJECT in the Access Tracker and there are warnings about the user not existing in the checked authentication sources (which makes sense of course). when looking at the 802.1x authenticator device i see it gets an Access-Reject message.

     

    what could cause this if it should work in principle?

    For your Guest_VLAN, is the profile action set to Accept or Reject?

     

    cp_enf_guest_vlan_accept.JPG

     



  • 7.  RE: ClearPass unauthenticated users enforcement

    Posted Apr 27, 2012 10:02 AM

    Guest_vlan profile is set to Accept.

     

    as for the log, here it is:

     

    Request log details for session: R000000af-01-4f9aa391
    Time    Message
    2012-04-27 15:48:01,006         [Th 3 Req 952 SessId R000000af-01-4f9aa391] INFO RadiusServer.Radius - rlm_service: Starting Service Categorization
    2012-04-27 15:48:01,010         [RequestHandler-1-0x44078940 r=auto-380 h=47 r=R000000af-01-4f9aa391] INFO Core.ServiceReqHandler - Service classification result = Copy_of_wired-802.1x-test
    2012-04-27 15:48:01,011         [Th 3 Req 952 SessId R000000af-01-4f9aa391] INFO RadiusServer.Radius - rlm_service: The request has been categorized into service "Copy_of_wired-802.1x-test"
    2012-04-27 15:48:01,012         [Th 3 Req 952 SessId R000000af-01-4f9aa391] INFO RadiusServer.Radius - rlm_ldap: searching for user TEST\unknownuser in AD:tdc-01.test.loc
    2012-04-27 15:48:01,015         [Th 3 Req 952 SessId R000000af-01-4f9aa391] INFO RadiusServer.Radius - rlm_eap_peap: Initiate
    2012-04-27 15:48:01,025         [Th 4 Req 953 SessId R000000af-01-4f9aa391] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "Copy_of_wired-802.1x-test"
    2012-04-27 15:48:01,025         [Th 4 Req 953 SessId R000000af-01-4f9aa391] INFO RadiusServer.Radius - rlm_ldap: searching for user TEST\unknownuser in AD:tdc-01.test.loc
    2012-04-27 15:48:01,032         [Th 4 Req 953 SessId R000000af-01-4f9aa391] INFO RadiusServer.Radius - TLS_accept:error in SSLv3 read client certificate A
    2012-04-27 15:48:01,043         [Th 5 Req 954 SessId R000000af-01-4f9aa391] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "Copy_of_wired-802.1x-test"
    2012-04-27 15:48:01,043         [Th 5 Req 954 SessId R000000af-01-4f9aa391] INFO RadiusServer.Radius - rlm_ldap: searching for user TEST\unknownuser in AD:tdc-01.test.loc
    2012-04-27 15:48:01,057         [Th 1 Req 955 SessId R000000af-01-4f9aa391] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "Copy_of_wired-802.1x-test"
    2012-04-27 15:48:01,057         [Th 1 Req 955 SessId R000000af-01-4f9aa391] INFO RadiusServer.Radius - rlm_ldap: searching for user TEST\unknownuser in AD:tdc-01.test.loc
    2012-04-27 15:48:01,059         [Th 1 Req 955 SessId R000000af-01-4f9aa391] INFO RadiusServer.Radius - rlm_eap_peap: Session established.
    2012-04-27 15:48:01,067         [Th 2 Req 956 SessId R000000af-01-4f9aa391] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "Copy_of_wired-802.1x-test"
    2012-04-27 15:48:01,067         [Th 2 Req 956 SessId R000000af-01-4f9aa391] INFO RadiusServer.Radius - rlm_ldap: searching for user TEST\unknownuser in AD:tdc-01.test.loc
    2012-04-27 15:48:01,070         [Th 2 Req 956 SessId R000000af-01-4f9aa391] INFO RadiusServer.Radius - rlm_ldap: searching for user TEST\unknownuser in AD:tdc-01.test.loc
    2012-04-27 15:48:01,073         [Th 2 Req 956 SessId R000000af-01-4f9aa391] INFO RadiusServer.Radius - rlm_eap_mschapv2: Issuing Challenge
    2012-04-27 15:48:01,084         [Th 3 Req 957 SessId R000000af-01-4f9aa391] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "Copy_of_wired-802.1x-test"
    2012-04-27 15:48:01,084         [Th 3 Req 957 SessId R000000af-01-4f9aa391] INFO RadiusServer.Radius - rlm_ldap: searching for user TEST\unknownuser in AD:tdc-01.test.loc
    2012-04-27 15:48:01,087         [Th 3 Req 957 SessId R000000af-01-4f9aa391] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "Copy_of_wired-802.1x-test"
    2012-04-27 15:48:01,087         [Th 3 Req 957 SessId R000000af-01-4f9aa391] INFO RadiusServer.Radius - rlm_ldap: searching for user TEST\unknownuser in AD:tdc-01.test.loc
    2012-04-27 15:48:01,088         [Th 3 Req 957 SessId R000000af-01-4f9aa391] INFO RadiusServer.Radius - rlm_eap_mschapv2: Received MSCHAPv2 Response from client
    2012-04-27 15:48:01,088         [Th 3 Req 957 SessId R000000af-01-4f9aa391] ERROR RadiusServer.Radius - rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication.
    2012-04-27 15:48:01,088         [Th 3 Req 957 SessId R000000af-01-4f9aa391] ERROR RadiusServer.Radius - rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication.
    2012-04-27 15:48:01,088         [Th 3 Req 957 SessId R000000af-01-4f9aa391] ERROR RadiusServer.Radius - rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
    2012-04-27 15:48:01,088         [Th 3 Req 957 SessId R000000af-01-4f9aa391] INFO RadiusServer.Radius - rlm_policy: Starting Policy Evaluation.
    2012-04-27 15:48:01,092         [RequestHandler-1-0x44078940 r=auto-381 h=48 r=R000000af-01-4f9aa391] WARN Common.AuthenticationStatus - populateAuthStatus: Unknown Authentication Status=Failed
    2012-04-27 15:48:01,092         [RequestHandler-1-0x44078940 r=auto-381 h=48 r=R000000af-01-4f9aa391] INFO Common.EndpointTable - Returning NULL (EndpointPtr) for macAddr 0019b966c8e2
    2012-04-27 15:48:01,092         [RequestHandler-1-0x44078940 r=auto-381 h=48 r=R000000af-01-4f9aa391] INFO Common.TagDefinitionCacheTable - No InstanceTagDefCacheMap found for instance id = 3002 entity id = 29
    2012-04-27 15:48:01,092         [RequestHandler-1-0x44078940 r=auto-381 h=48 r=R000000af-01-4f9aa391] INFO Common.TagDefinitionCacheTable - Building the TagDefMapTable for NAD instance=3002
    2012-04-27 15:48:01,092         [RequestHandler-1-0x44078940 r=auto-381 h=48 r=R000000af-01-4f9aa391] INFO Common.TagDefinitionCacheTable - Built 0 tag(s) for NAD instanceId=3002|entityId=29
    2012-04-27 15:48:01,092         [RequestHandler-1-0x44078940 r=auto-381 h=48 r=R000000af-01-4f9aa391] INFO TAT.TagAttrHolderBuilder - No tags built for instanceId=3002|entity=Device
    2012-04-27 15:48:01,092         [RequestHandler-1-0x44078940 r=auto-381 h=48 r=R000000af-01-4f9aa391] INFO TAT.AluTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL AuthLocalUser)
    2012-04-27 15:48:01,092         [RequestHandler-1-0x44078940 r=auto-381 h=48 r=R000000af-01-4f9aa391] INFO TAT.GuTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL GuestUser)
    2012-04-27 15:48:01,092         [RequestHandler-1-0x44078940 r=auto-381 h=48 r=R000000af-01-4f9aa391] INFO TAT.EndpointTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL Endpoint)
    2012-04-27 15:48:01,093         [RequestHandler-1-0x44078940 h=2767 c=R000000af-01-4f9aa391] INFO Core.PETaskScheduler - *** PE_TASK_SCHEDULE_RADIUS Started ***
    2012-04-27 15:48:01,094         [RequestHandler-1-0x44078940 h=2769 c=R000000af-01-4f9aa391] INFO Core.PETaskRoleMapping - Roles: Guest]
    2012-04-27 15:48:01,096         [RequestHandler-1-0x44078940 r=R000000af-01-4f9aa391 h=2771 c=R000000af-01-4f9aa391] INFO Core.PolicyResCollector - updateSpt: SPT set to: QUARANTINE force=1
    2012-04-27 15:48:01,096         [RequestHandler-1-0x44078940 r=R000000af-01-4f9aa391 h=2771 c=R000000af-01-4f9aa391] INFO Core.PETaskPolicyResult - Update internal roleIds=:
    2012-04-27 15:48:01,096         [RequestHandler-1-0x44078940 r=R000000af-01-4f9aa391 h=2771 c=R000000af-01-4f9aa391] INFO Core.PETaskPolicyResult - Update external roles=:
    2012-04-27 15:48:01,097         [RequestHandler-1-0x44078940 h=2772 c=R000000af-01-4f9aa391] INFO Core.PETaskEnforcement - EnfProfiles: enforcement-prof-vlan-wired-vlan20-basic
    2012-04-27 15:48:01,097         [RequestHandler-1-0x44078940 h=2773 c=R000000af-01-4f9aa391] INFO Core.PETaskRadiusEnfProfileBuilder - EnfProfileAction=ACCEPT
    2012-04-27 15:48:01,097         [RequestHandler-1-0x44078940 h=2773 c=R000000af-01-4f9aa391] INFO Core.PETaskRadiusEnfProfileBuilder - Radius enfProfiles used: enforcement-prof-vlan-wired-vlan20-basic
    2012-04-27 15:48:01,098         [RequestHandler-1-0x44078940 h=2773 c=R000000af-01-4f9aa391] INFO Core.EnfProfileComputer - getFinalSessionTimeout: sessionTimeout = 0
    2012-04-27 15:48:01,098         [RequestHandler-1-0x44078940 h=2775 c=R000000af-01-4f9aa391] INFO Core.PETaskCliEnforcement - startHandler: No commands for CLI enforcement
    2012-04-27 15:48:01,100         [RequestHandler-1-0x44078940 h=2777 c=R000000af-01-4f9aa391] INFO Core.XpipPolicyResHandler - populateResponseTlv: PETaskPostureOutput does not exist. Skip sending posture VAFs
    2012-04-27 15:48:01,101         [RequestHandler-1-0x44078940 h=2777 c=R000000af-01-4f9aa391] INFO Core.PolicyResCollector - getSohr: Failed to generate Sohr
    2012-04-27 15:48:01,101         [RequestHandler-1-0x44078940 h=2776 c=R000000af-01-4f9aa391] INFO Core.PolicyResCollector - getSohr: Failed to generate Sohr
    2012-04-27 15:48:01,101         [RequestHandler-1-0x44078940 r=R000000af-01-4f9aa391 h=2767 c=R000000af-01-4f9aa391] INFO Core.PETaskScheduler - *** PE_TASK_SCHEDULE_RADIUS Completed ***
    2012-04-27 15:48:01,104         [Th 3 Req 957 SessId R000000af-01-4f9aa391] INFO RadiusServer.Radius - rlm_policy: Received Accept Enforcement Profile
    2012-04-27 15:48:01,104         [Th 3 Req 957 SessId R000000af-01-4f9aa391] INFO RadiusServer.Radius - rlm_policy: Policy Server reply does not contain Posture-Validation-Response
    2012-04-27 15:48:01,113         [Th 4 Req 958 SessId R000000af-01-4f9aa391] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "Copy_of_wired-802.1x-test"
    2012-04-27 15:48:01,113         [Th 4 Req 958 SessId R000000af-01-4f9aa391] INFO RadiusServer.Radius - rlm_ldap: searching for user TEST\unknownuser in AD:tdc-01.test.loc
    2012-04-27 15:48:01,117         [Th 4 Req 958 SessId R000000af-01-4f9aa391] INFO RadiusServer.Radius - rlm_policy: Bypassing Policy Evaluation.

    access tracker lists the request as REJECT with this alert

     

    Error Code:      216
    Error Category: Authentication failure
    Error Message:     User authentication failed
     Alerts for this Request  
    RADIUS     tdc-01 - tdc-01.test.loc: User not found.
    MSCHAP: Authentication failed
    EAP-MSCHAPv2: User authentication failure



  • 8.  RE: ClearPass unauthenticated users enforcement

    Posted May 02, 2012 10:10 AM

    just had aruba support confirm this is not possible, failed authentication means an Access-Reject is send so no further possibility to get in another VLAN or such from ClearPass side.



  • 9.  RE: ClearPass unauthenticated users enforcement

    Posted Dec 12, 2017 08:02 AM

    Just in case anybody wonders, you can get arround this by creating a Static Host List auth source with a regex matching any MAC address (.*) and place it last in the auth source list of your service.

     

    You can then treat the rule "Athentication:Source EQUALS [Any MAC SHL]" as an administrative reject.

     

    Obviously this is a security flaw as any RADIUS request will ultimatly be accepted. But this way you can apply the default profile as a last resort, and you don't have to implement such a behaviour on the NAD side (like OpenVLAN).