Security

Hi,

 

If I understand the MACtrack functionality correct, it provides the option of a device self registration by employees.

This is what we have working in the lab. Registered devices would to MAC-AUTH. Employees are authenticated against AD. When employees register devices, the sponsor_name is shown as the employee AD account.

 

Now the question came up what happens when the employee leaves the company.

How can we prevent the employee to connect via MAC-AUTH after he left.

 

One idea is to validate (authorize) the sponsor_name attribute in the Guest Device Repository against the AD when we do MAC-AUTH for a device.

The problem is that the sponsor_name attribute is not shown in Access Tracker. Only the sponsor_profile_name.

 

Is above a good idea at all? Or has this been solved already?

 

Thanks,

Christian

 

Try this make a copy of your AD source and change the query to this and use that as an authorization to the Mac auth service ,  add the userAccountControl as an attribute and you can use that as part of your enforcement policy to allow the user access 

https://support.microsoft.com/en-us/kb/305144 

 

 

 

I am afraid that doesn´t work.

 

If I understand this correct, CPPM would query AD for the values of the GuestUser:sponsor_profile_name attribute. This is in our case the Guest Operator Profile (Device Registration) which is not known to AD. The GuestUser:sponsor_profile_name appears in Access Tracker.

 

I think the query should get values for GuestUser:sponsor_name. But that attribute does not show in Access Tracker.

To me it seems this attribute is set in Guest (there s a field sponsor_name) but somehow not available in CPPM.

I would expect to see this in Access Tracker right beside the GuestUser:sponsor_profile_name attribute.

 

I added sponsor_name under GuestUser Entity as attribute without success. Access Tracker is just not showing that attribute.

 

Thanks,

Christian

 

Yes, you would use sponsor_name. Try using it from Guest User Repository as an authorization source.

No luck.

 

As a test I set the role mapping to check if GuestUser:sponsor_name is the value I see in Guest as sponsor for the device. Without any AD involvement.

 

That mapping fails then. And the GuestUser:sponsor_name attribute is not shown in Access Tracker.

GuestUser:sponsor_profile_name is there.

 

I think this is the source problem.

Without GuestUser:sponsor_profile I can´t verify the AD account. This is the only link between the device MAC and the user who created it.

 

If GuestUser:sponsor_profile should be there I guess it is time for opening a TAC case?

 

Thanks,

Christian

 

 

Are you looking under input> computed attributes ?

Sent from Outlook for iPhone

Do you have the guest user repository as an authorization source in your service?

Yes, I have the guest user repository as authorization source. I see other GuestUser attributes (like Role ID, sponsor_profile_name, Visitor Name,...) in computed attributes which I assume come out of that repository as well.

The service is a modified mac caching from a guest self register setup with mac caching.

It works for MACtrack created devices in Guest.

 

And yes, I am looking under input -> computed attributes.

GuestUser:sponsor_name is just not there.

 

This is clearpass 6.5.5 btw.

 

Thanks,

Christian

Give me til tomorrow to set this up in my lab.

Thank you very much!

 

Let me know if I should provide more info.

I checked the tipsdb database via SQL.

The device is in the tips_guest_users table and shows the correct name in the sponsor_name column.

 

But the attribute is not shown in "computed attributes".

I really wonder why.

 

Christian

I played with this for a few hours yesterday and couldn't get a working solution. I would contact Aruba TAC.

I haven't read the whole train but some items will not show up in computed attributes unless it's part of your enforcement policy

I was able to create a new a sql source pointing to the insight db but I was only able to get all the sponsor_name(s) not just the sponsor_name tied to the MAC address authenticating .
If you know your way around using pgsql queries you should get the information you are looking for.

Here's the query I used :

SELECT sponsor_name FROM guests

It won't show in the computer attributes instead it will show in the Authorization attributes which you can still use in your enforcement

Sent from Outlook for iPhone

You will need to create a new SQL Custom source pointing to the Insight DB

Your query should look like this:

Then add this to the new AD Source using the Custom DB 

Once you add both as Authorization Sources then you will see that the information will be populated under the Authorization Attributes

 

Thanks for the reply.

 

This works half way.

The first part seems to work. I can see the Attribute "Authorization:CUSTOM-DB:sponsor_name" with the correct sponsor name (deckel) in Access Tracker.

 

But it can´t query AD succesfully:

 

I get this in debug log:

 Util.ParameterizedString - getReplacedStrings: Failed to replace parameString =(&(o
bjectClass=user)(sAMAccountName=%{Authorization:CUSTOM-DB:sponsor_name})), error=No values for param=Authorization:CUSTOM-DB:sponsor_name

 Ldap.LdapQuery - execute: Failed to construct filter=(&(objectClass=user)(sAMAccountName=%{Authorization:CUSTOM-DB:sponsor_name}))

 Ldap.LdapQuery - Failed to get value for attributes=[userAccountControl]

 

But I get this:

 ExtDB.DBQuery - Query success for filter=SELECT sponsor_name FROM guests WHERE mac
= UPPER('64-bd-0a-80-5d-f1') AND sponsor_profile_name = ('Device Registration');, attrs=>{sponsor_name:[deckel,]}

 

When I hardcode "Authorization:CUSTOM-DB:sponsor_name" to "deckel" in the LDAP filter query, I can see the LDAP data in Access Tracker. Including userAccountControl.

 

Any hint how to debug this?

 

Thanks,

Christian

 

You need to remove this from your custom db query
AND sponsor_profile_name = ('Device Registration');, attrs=>{sponsor_name:[deckel,]}

Just use this :
SELECT sponsor_name FROM guests WHERE mac
= UPPER('%(Connection:Client-Mac-Address-Hyphen)');

Sent from Outlook for iPhone

Hi,

 

this is the full filter query for CUSTOM-DB:

SELECT sponsor_name FROM guests WHERE mac = UPPER('%{Connection:Client-Mac-Address-Hyphen}') AND sponsor_profile_name = ('Device Registration');

 

When I remove "AND sponsor_profile_name = ('Device Registration')", I will get all sponsor_name values that the device MAC ever had.

My test client device was also used for the guest self registration. There, a guest can enter a random name as name as sponsor name. That´s why I added the additional filter on the sponsor_profile_name for devices that were registered by the guest device registration role.

With this, I get the correct sponsor_name value for my test device.

The same issue could happen when an employee used the client device with guest registration before it is registered by the employee as device.

Is it possible to remove entries in the insightdb?

 

Thanks,

Christian

I just tested with that filter and it works with no issues. And that's the right approach to avoid getting the guest sponsor_name (Leave as is)

Can you take a screenshot of your AD source to see what attributes you are currently using ?

Screenshots attached.

 

Access Tracker shows the correct sponsor_name fetched from CUSTOM-DB (insightdb).

 

For testing,  I hardcoded the AD query filter

(&(sAMAccountName=%{Authorization:CUSTOM-DB:sponsor_name})(objectClass=user))

with

(&(sAMAccountName=deckel)(objectClass=user))

.

RoleMapping is matching on userAccountControl=512 and assigns the correct role then.

 

So, the logic seems to work. It is just that AD filter %{Authorization:CUSTOM-DB:sponsor_name} isn´t replaced with the sposor_name fetched from the CUSTOM-DB.

 

Thanks,

Christian

 

Can you try using this instead:
(&(objectClass=user)(sAMAccountName=%{Authorization:CUSTOM-DB:sponsor_name}))

also try with a device that belongs to an AD user that has higher privileges in AD
Looks like clembo was hitting a similar issue :
http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/CPPM-not-Retrieving-Authorization-Attributes-for-Some-Users/td-p/91958

No change with that AD query string.

 

I found that posting from clembo and will try to use a different account.

 

It does work for me when I hardcode the AD query to the sponsor_name.

The Account which is used for querying AD is the same in that case.

It also works when I enter the sponsor name on the Attributes Tab at the Configure Filter window.

 

I´ll try to use an account with higher rights.

 

Christian

Hello,

 

we created a new user with standard user rights and used this as a bind user.

We still don´t get the sponsor_name back from AD.

 

Shall I open a TAC case?

 

Thanks,

Christian

Yes and please update us with the findings

did you ever go the TAC road ChrisDe, any feedback you can share?