Security

First, I will explain what I want to do:

 

Device A is joined to domain acme.com

Device A is a member of ABC OU

Device A must machine authenticate and user authenticate in order for the device to gain full acess to the network

Results in default RADIUS ALLOW policy

 

Device B is joined to domain acme.com

Device B is a member of XYZ OU

Device B must machine authenticate and user authenticate in order for the device to gain full access to the network

Results in NAMED VLAN and NAMED ROLE.  Device B must be placed into a different VLAN and role than Device A

 

Here's the problem:

 

This configuration works fine for device A.  The device gets the [Machine Authentication] role and is cached for 24 hours, allowing the user to login and get complete access to the network [Machine Authentication] + User auth = access.

 

When the machine authenticates, we differentiate access by determining that it's in a different OU, which results in device B getting a different role than device A.  I can't give it the [Machine Authentication] role because otherwise it will end up with the same enforcement policy as device A.  Since I can't give it the [Machine Authentication] role to device B, when the user logs in their machine authentication is not cached so I can't get them on the network.

 

My solution to this would be to create a ClearPass role called [Machine Authentication - XYZ] that caches just like the built-in [Machine Authentication] role.  Then, I could use [Machine Authentication - XYZ] + User authentication to give device B differentiated access to the network.

 

Is this at all possible or is there another way of doing this that I'm not thinking of?

I think you have multiple things to think about.  The server certificate for CPPM must be trusted by laptops in both domains.  That can be a huge undertaking based on how mobile devices in both domains are setup.

 

When a machine authenticates, it is part of the "domain machines" AD group for a particular domain.  You would put all devices that pass authentication for domain X in Vlan X and for domain Y in vlan Y.  The user who passes user authentication will be in domain users for domain X and that device should end up in vlan X.  Same thing for VLAN Y.

The computers are in the same domain, but different OUs within the AD tree.

What are you trying to accomplish, then?

 

I have to identify a group of domain computers and put them in a different
VLAN than all other domain computers.

In your role map, tag computers that are a member of OU "A" with a role and
"B" with a different role and then in your enforcement say [ Machine
Authenticated] and Role A then VLAN or user role A. Same with B.

Tim,

That works for putting the computer in the proper VLAN when it machine
authenticates but once the user logs in will the VLAN be retained if I
don't override it, if I only send a radius acccept? Also, if that did work
and the device was off network long enough to age out of the controller
user table, when it reconnects to the network I'm afraid it will end up in
the VAP's default VLAN. These computers must consistently be placed in a
particular VLAN for compliance reasons.

thecompnerd,

 

You probably are making this too complicated. You should just use machine authentication only and be done with it.

 

 

cjoseph,

I initially thought I was over thinking it but after working it through a
couple of times in my head I don't believe I will be able to consistently
put these machines in the VLAN they need. I will do some additional testing
tomorrow to confirm my my thinking/concerns as I'm not sure I've
effectively communicated what I'm trying to do on the forums.

So just to clear it up, you want OU A to always be in VLAN A and OU B in
VLAN B no matter what user is logged in (or our)?

Correct!

OK so do the role map and enforcement like the post earlier and change the
computers to do computer authentication only (via Group Policy).

Yes that would work, but it will make it a bit more difficult tracking
users of these devices. I see this turning into a discussion with our
security team. Definitely something to consider though. Thanks for the
input!

You could try still doing user and computer authentication and just assign
the users the same VLAN. Use the role map result from the machine auth OU.
The device will always machine auth when a user logs out or reboots so you
shouldn't have to worry about the cache running out.

Another alternative would be to create a custom attribute in the endpoint
database that gets created when the computer machine auths then reference
that attribute for the user authentication.

Here's an abbreviated sample of my thinking using an endpoint attribute. I did everything in the enforcement but you could do some in the role mapping.

 

 

Tim,

 

Thanks for going to the trouble of that.  That's actually a pretty good workaround.  The only issue that I could potentially see is if the computer is later moved to another OU, the endpoint attribute will remain which would result in the wrong enforcement policy being applied.  It would be a manual process of deleting the attribute if a computer is moved between OUs and I'd have to be notified, but I think we can handle that.

 

This morning I tested the concerns that I voiced about what would happen when device B is placed in VLAN B and then a user logs in.  I found that when the user logs in and the default RADIUS accept profile is sent (no VLAN VSA), the VLAN will in fact change back to the VAP VLAN.  So for example:

 

1. Device B machine authenticates, matches role mapping of OU='XYZ'. Device role is set to 'Machine Authenticated - XYZ' and [Machine authenticated]
   Enforcement policy TIPS = 'Machine Authenticated - XYZ' is matched and enforcement profile 'VLAN B' is sent to controller.
   Device B has IP 192.168.2.10
   
   
2. Any user logs into the Device B, role is set to [User authenticated]'.
   Enforcement policy TIPS = [Machine Authenticated] + [User authenticated] ' is matched and enforcement profile 'RADIUS ACCEPT' is sent.
   Device B now has IP 192.168.1.10

As you stated, it would be possible to keep this from happening if the computer only machine authenticates, but unfortunately this may not be possible for security reasons.

 

Also, the role mapping 'Machine Authenticated - XZY' won't apply to the user authentication as it's only applied to the machine authentication.  [Machine Authentication] is the only role that applies to the user authentication since it's cached for the device MAC.  This is why I can not have an enforcement policy that says 'Machine authenticated - XYZ + [User authenticated] = VLAN B.  The user authentication always results in matching the policy '[Machine authenticated] + [User authenticated].

The logic in the example checks for an OU change and updates it is
necessary.

I have most of your suggestion implemented and it works!  I can now differentiate between device A and device B when the user authenticates.  I can't post screenshots, but essentially here is what I did:

 

1. Added new attribute to the dictionary:
   Name = AD_OU
   Data Type = String
   Mandatory = No
   Allow Multiple = No
   
   
2. Created role mapping:
   Authorization: AD Servers: User DN contains XYZ
   OR Endpoint: AD_OU equals XYZ
   
   Role = Computer_XYZ
   
   
3. Created enforcement profile:
   Name: Endpoint_Update_XYZ
   Attribute: Endpoint AD_OU = %{Authorization: AD Servers:UserDN}
   
   
4. Created enforcement policy condition #1:
   Tips: Role MATCHES_ALL Computer_XYZ [User Authenticated] [Machine Authenticated]
   
   Enforcement profile = VLAN_XYZ
   
   
5. Created enforcement policy condition #2
   Tips: Role MATCHES_ALL Computer_XYZ [Machine Authenticated]
   
   Enforcement profile = VLAN_XYZ, Endpoint_Update_XYZ

 

All other machine and user authentication combinations that do not match are processed by lower enforcement policies which results in a different VLAN being used.

 

I do have an additional question about your configuration:

 

In your enforcment profile (condition #2), what is the purpose of "Authorization: AUTH_AD: UserDN  NOT_EQUALS %{Authorization: zDemo_MACHINE-OU}"?  Are you trying to keep the endpoint attribute from being updated if the current UserDN already matches the endpoint attribute?

 

Thanks for the help, Tim!

Rule 2 is just trying to keep the endpoint db up to date. It is saying if the current OU of the computer does not match the OU in the custom attribute, update the endpoint with the new information and then allow access and return the appropriate VLAN.

 

Glad it's (somewhat) working for you!

I'll implement that last piece and I should be set. It's actually a very
good solution after testing it. Thanks a lot for your help!

For when the user authenticates, you can create a different action by using
the [User Authenticated] role. If you want the same VLAN to stick for the
machine, configure the device to use machine auth only via group policy.