Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Clearpass automatic local account creation, from external database authentication.

This thread has been viewed 0 times

  • 1.  Clearpass automatic local account creation, from external database authentication.

    Posted Feb 15, 2013 09:40 AM

    Hello all,

     

    Consider the scenario where a Clearpass Guestconnect server is authenticating self-registering guests locally, and then backing off "unknown" user login attempts to an external active directory or radius proxy back-end. I've already got this working, but hit a couple of challenges.

     

    Also note quite importantly that we're making use of mac-caching in this case, and limiting the device count to 1 per user.

     

    When an AD user connects, they authenticate into AD just fine. In addition, a mac-cache device gets added (good so far). The AD user themselves however, is not added dynamically to the local user account list. As a consequnce of this, if the user turns off their device, and then later connects another device using the same AD credentials (assuming the active session has timed-out), they can "work-around" the device limit we've imposed on the system of 1.

     

    Does anybody know if there is a function to have Clearpass Guestconnect automatically "inherit" or "import" a user account when it leverages an external/back-end server? I can't think of a reason this wouldn't be feasible, as the password is carried by PAP in this case?

     

    Also, for more kudos, is there a way to stop Clearpass backing off the mac-auth attempts to a back-end/external server? I.e. the mac-auth is key to the mac-caching obviously, but ideally you only want these to be processed by Clearpass, and not handed off (as it appears to do when an external server is added).

     

    Any thoughts please?

     



  • 2.  RE: Clearpass automatic local account creation, from external database authentication.

    EMPLOYEE
    Posted Feb 19, 2013 08:47 AM

    Assuming you have a different SSID for guest vs. Corporate users,split the service into two services that have different rules based on SSID they come from:

     

    In addition, you can check to see if it is an incoming mac authentication by comparing the Client-mac-address to username by using rule #2 below:

    guest.PNG

     

    I am QUITE sure that I did not answer all of your questions, but I still want to give you a direction..



  • 3.  RE: Clearpass automatic local account creation, from external database authentication.

    Posted Feb 21, 2013 03:28 AM

    Hi there!

     

    I probably should have mentioned (sorry), that in this case, it's Clearpass GC 3.9 (Amigopod original looking).

     

    Basically, this is because it's the Dell OEM version in use, and this is there most current version they (or rather you) port. I'm having some dialogue with Dell and Aruba TAC guys about where we ought to go with this next!

     

    Thanks!