Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Clearpass does not block me smartdevices

This thread has been viewed 1 times

  • 1.  Clearpass does not block me smartdevices

    Posted Jun 21, 2019 07:42 PM

    Hello,

     

    I am trying to block all smartphones from an SSID of users that are authenticated against the AD and allowing only the corporate PCs.

    I have made several configurations using enforcement and profiling, however both PCs and SmartDevices access the network without problems.

     

    Annex the configuration that I have at the level of enforcement.

     

    The log that shows when connecting the smardevices is the following:

     

     

     

     

    Attachment(s)

    pdf
    Clearpass logs Smatdevice.pdf   168 KB 1 version


  • 2.  RE: Clearpass does not block me smartdevices

    EMPLOYEE
    Posted Jun 21, 2019 08:06 PM
    Are the PCs that you want to allow all domain joined? If so I would do machine authentication and use that to determine if a device gets access or not.


  • 3.  RE: Clearpass does not block me smartdevices

    Posted Jun 22, 2019 11:14 PM

    Thanks, I am going to change the configuration according to the suggestion, do you have any link where the procedure is described in detail?



  • 4.  RE: Clearpass does not block me smartdevices

    Posted Jun 24, 2019 08:58 AM

    you need to add a rule in your enforcement policy/role mapping that validates the machine in AD

     

    If you use machine authentication (eap-peap) you can make a basic rule like:

     

    Authorization:CorpAD:UserDN CONTAINS OU=Computers,DC=company,DC=local

    Or more basic:

    Authorization:CorpAD:UserDN EXISTS

     

    If the client not passes this rules, it is not a AD joined device and should be denied access. for every exception, just add the new rule above this one (if you use first-applicable).

     



  • 5.  RE: Clearpass does not block me smartdevices

    Posted Jun 24, 2019 09:10 AM

    If you use machine authentication, or machine and user authentication, ClearPass will automatically detect if the machine is doing (or has done) machine authencation. You can use the TIPS role Machine Authenticated for this.

     

    So, really simple. Just allow authentication that contains the role Machine Authenticated. Or also use EAP-TLS for corporate managed devices which make it even more easy. 

     

    @Fabian Klaring wrote:

    you need to add a rule in your enforcement policy/role mapping that validates the machine in AD

     

    If you use machine authentication (eap-peap) you can make a basic rule like:

     

    Authorization:CorpAD:UserDN CONTAINS OU=Computers,DC=company,DC=local

    Or more basic:

    Authorization:CorpAD:UserDN EXISTS

     

    If the client not passes this rules, it is not a AD joined device and should be denied access. for every exception, just add the new rule above this one (if you use first-applicable).

     

    This is not completly correct. The check UserDN EXIST is always true even if the user/machine doesn't exist. The UserDN is empty at that moment but still exist. Sometimes I have to create a check like this but in that case I use a REGEX that will check if the DN us not empty. For example 

    UserDN > NOTMATCH REGEX >  (.|\s)*\S(.|\s)*



  • 6.  RE: Clearpass does not block me smartdevices

    Posted Jun 25, 2019 08:06 PM
      |   view attached

    The rule did not work well, sometimes it blocked the smartdevices and sometimes not, test the relas separately and together. Annex the configuration and log of the two cases with the same smart device

    Attachment(s)

    docx
    clearpass poc.docx   217 KB 1 version


  • 7.  RE: Clearpass does not block me smartdevices

    Posted Jun 30, 2019 11:46 PM

    I finally found that I had a problem with the CoA, which was solved properly, thanks