Security

Hi All,

 

We have a following Client requirement 

 

1. Authentication type is EAP-TLS.........working fine.

 

2.For different  AD group of users we have enforce different VLAN depending on group name........not working.

 

The issue we are faicng is when we created role mapping policy for different AD Groups i am getting following error messages.

 

Kindly let me know how to resolve this issue.

 

 

 

Request log details for session: R00000030-11-5225c73a
Time 	Message
2013-09-03 16:55:46,085 	[Th 40 Req 315 SessId R00000030-11-5225c73a] INFO RadiusServer.Radius - rlm_service: Starting Service Categorization - 15:254:D4-3D-7E-12-A5-49
2013-09-03 16:55:46,092 	[RequestHandler-1-0x7f2fad3e9700 r=psauto-1378126681-132 h=223 r=R00000030-11-5225c73a] INFO Core.ServiceReqHandler - Service classification result = Certificate_based_Test
2013-09-03 16:55:46,093 	[Th 40 Req 315 SessId R00000030-11-5225c73a] INFO RadiusServer.Radius - rlm_service: The request has been categorized into service "Certificate_based_Test"
2013-09-03 16:55:46,093 	[Th 40 Req 315 SessId R00000030-11-5225c73a] INFO RadiusServer.Radius - rlm_ldap: searching for user host/INGVYSAHOTEST.IN.intranet in AD:spininf00001.in.intranet
2013-09-03 16:55:46,095 	[Th 40 Req 315 SessId R00000030-11-5225c73a] INFO RadiusServer.Radius - rlm_ldap: found user host/INGVYSAHOTEST.IN.intranet in AD:spininf00001.in.intranet
2013-09-03 16:55:46,095 	[Th 40 Req 315 SessId R00000030-11-5225c73a] INFO RadiusServer.Radius - rlm_eap_tls: Initiate
2013-09-03 16:55:46,096 	[Th 40 Req 315 SessId R00000030-11-5225c73a] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 15:76:D4-3D-7E-12-A5-49:0x00a40087002f00e73b010000d3e70a303a32a52dea8f6f95c95bd811
2013-09-03 16:55:46,112 	[Th 32 Req 316 SessId R00000030-11-5225c73a] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "Certificate_based_Test" - 16:386:D4-3D-7E-12-A5-49
2013-09-03 16:55:46,113 	[Th 32 Req 316 SessId R00000030-11-5225c73a] INFO RadiusServer.Radius - TLS_accept:error in SSLv3 read finished A
2013-09-03 16:55:46,113 	[Th 32 Req 316 SessId R00000030-11-5225c73a] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 16:225:D4-3D-7E-12-A5-49:0x00f70020002b00c73c010000520e47f9ab1f806777c5c9926f39fd6e
2013-09-03 16:55:46,123 	[Th 33 Req 317 SessId R00000030-11-5225c73a] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "Certificate_based_Test" - 17:318:D4-3D-7E-12-A5-49
2013-09-03 16:55:46,123 	[Th 33 Req 317 SessId R00000030-11-5225c73a] INFO RadiusServer.Radius - rlm_eap_tls: Session established.
2013-09-03 16:55:46,124 	[Th 33 Req 317 SessId R00000030-11-5225c73a] INFO RadiusServer.Radius - rlm_policy: Starting Policy Evaluation.
2013-09-03 16:55:46,130 	[RequestHandler-1-0x7f2fad3e9700 r=psauto-1378126681-133 h=239 r=R00000030-11-5225c73a] INFO Common.EndpointTable - Returning NULL (EndpointPtr) for macAddr d43d7e12a549
2013-09-03 16:55:46,130 	[RequestHandler-1-0x7f2fad3e9700 r=psauto-1378126681-133 h=239 r=R00000030-11-5225c73a] INFO Common.TagDefinitionCacheTable - No InstanceTagDefCacheMap found for instance id = 3354 entity id = 29
2013-09-03 16:55:46,130 	[RequestHandler-1-0x7f2fad3e9700 r=psauto-1378126681-133 h=239 r=R00000030-11-5225c73a] INFO Common.TagDefinitionCacheTable - Building the TagDefMapTable for NAD instance=3354
2013-09-03 16:55:46,130 	[RequestHandler-1-0x7f2fad3e9700 r=psauto-1378126681-133 h=239 r=R00000030-11-5225c73a] INFO Common.TagDefinitionCacheTable - Built 0 tag(s) for NAD instanceId=3354|entityId=29
2013-09-03 16:55:46,131 	[RequestHandler-1-0x7f2fad3e9700 r=psauto-1378126681-133 h=239 r=R00000030-11-5225c73a] INFO TAT.TagAttrHolderBuilder - No tags built for instanceId=3354|entity=Device
2013-09-03 16:55:46,131 	[RequestHandler-1-0x7f2fad3e9700 r=psauto-1378126681-133 h=239 r=R00000030-11-5225c73a] INFO TAT.AluTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL AuthLocalUser)
2013-09-03 16:55:46,131 	[RequestHandler-1-0x7f2fad3e9700 r=psauto-1378126681-133 h=239 r=R00000030-11-5225c73a] INFO TAT.GuTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL GuestUser)
2013-09-03 16:55:46,131 	[RequestHandler-1-0x7f2fad3e9700 r=psauto-1378126681-133 h=239 r=R00000030-11-5225c73a] INFO TAT.EndpointTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL Endpoint)
2013-09-03 16:55:46,131 	[RequestHandler-1-0x7f2fad3e9700 r=psauto-1378126681-133 h=239 r=R00000030-11-5225c73a] INFO TAT.OnboardTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL Onboard Device User)
2013-09-03 16:55:46,131 	[RequestHandler-1-0x7f2fad3e9700 h=1235 c=R00000030-11-5225c73a] INFO Core.PETaskScheduler - *** PE_TASK_SCHEDULE_RADIUS Started ***
2013-09-03 16:55:46,132 	[RequestHandler-1-0x7f2fad3e9700 h=1236 c=R00000030-11-5225c73a] WARN REC.EvaluatorCtx - Prerequisites set is empty, not populating the Request Map
2013-09-03 16:55:46,132 	[AuthReqThreadPool-26-0x7f307adf6700 r=R00000030-11-5225c73a h=67] WARN Util.ParameterizedString - getReplacedStrings: Failed to replace parameString =(distinguishedName=%{memberOf}), error=No values for param=memberOf
2013-09-03 16:55:46,133 	[AuthReqThreadPool-26-0x7f307adf6700 r=R00000030-11-5225c73a h=67] WARN Ldap.LdapQuery - execute: Failed to construct filter=(distinguishedName=%{memberOf})
2013-09-03 16:55:46,133 	[AuthReqThreadPool-26-0x7f307adf6700 r=R00000030-11-5225c73a h=67] WARN Ldap.LdapQuery - Failed to get value for attributes=Groups]
2013-09-03 16:55:46,133 	[RequestHandler-1-0x7f2fad3e9700 h=1237 c=R00000030-11-5225c73a] INFO Core.PETaskRoleMapping - Roles: Guest], Machine Authenticated]
2013-09-03 16:55:46,135 	[RequestHandler-1-0x7f2fad3e9700 h=1240 c=R00000030-11-5225c73a] INFO Core.PETaskEnforcement - EnfProfiles: Cert_based_NAC_infrastructure
2013-09-03 16:55:46,135 	[RequestHandler-1-0x7f2fad3e9700 h=1245 c=R00000030-11-5225c73a] INFO Core.PETaskGenericEnfProfileBuilder - getApplicableProfiles: No App enforcement (Generic) profiles applicable for this device
2013-09-03 16:55:46,136 	[RequestHandler-1-0x7f2fad3e9700 h=1241 c=R00000030-11-5225c73a] INFO Core.PETaskRadiusEnfProfileBuilder - EnfProfileAction=ACCEPT
2013-09-03 16:55:46,136 	[RequestHandler-1-0x7f2fad3e9700 h=1241 c=R00000030-11-5225c73a] INFO Core.PETaskRadiusEnfProfileBuilder - Radius enfProfiles used: Cert_based_NAC_infrastructure
2013-09-03 16:55:46,136 	[RequestHandler-1-0x7f2fad3e9700 h=1241 c=R00000030-11-5225c73a] INFO Core.EnfProfileComputer - getFinalSessionTimeout: sessionTimeout = 10800
2013-09-03 16:55:46,137 	[RequestHandler-1-0x7f2fad3e9700 h=1246 c=R00000030-11-5225c73a] INFO Core.PETaskCliEnforcement - startHandler: No commands for CLI enforcement
2013-09-03 16:55:46,137 	[RequestHandler-1-0x7f2fad3e9700 r=R00000030-11-5225c73a h=1244 c=R00000030-11-5225c73a] INFO Core.PETaskPostAuthEnfProfileBuilder - getApplicableProfiles: No Post auth enforcement profiles applicable for this device
2013-09-03 16:55:46,138 	[RequestHandler-1-0x7f2fad3e9700 r=R00000030-11-5225c73a h=1242 c=R00000030-11-5225c73a] INFO Core.PETaskRadiusCoAEnfProfileBuilder - getApplicableProfiles: No radius_coa enforcement profiles applicable for this device
2013-09-03 16:55:46,142 	[RequestHandler-1-0x7f2fad3e9700 h=1248 c=R00000030-11-5225c73a] INFO Core.XpipPolicyResHandler - populateResponseTlv: PETaskPostureOutput does not exist. Skip sending posture VAFs
2013-09-03 16:55:46,142 	[RequestHandler-1-0x7f2fad3e9700 h=1248 c=R00000030-11-5225c73a] INFO Core.PolicyResCollector - getSohr: Failed to generate Sohr
2013-09-03 16:55:46,143 	[Th 33 Req 317 SessId R00000030-11-5225c73a] INFO RadiusServer.Radius - rlm_policy: Received Accept Enforcement Profile
2013-09-03 16:55:46,143 	[Th 33 Req 317 SessId R00000030-11-5225c73a] INFO RadiusServer.Radius - rlm_policy: Added Class attribute with value Class = 0xe01eeb5fba974171b4bba595e0ae50d1d80b0000000000005230303030303033302d31312d35323235633733610000000000000000000000
2013-09-03 16:55:46,143 	[Th 33 Req 317 SessId R00000030-11-5225c73a] INFO RadiusServer.Radius - rlm_policy: Policy Server reply does not contain Posture-Validation-Response
2013-09-03 16:55:46,143 	[RequestHandler-1-0x7f2fad3e9700 h=1247 c=R00000030-11-5225c73a] INFO Core.PolicyResCollector - getSohr: Failed to generate Sohr
2013-09-03 16:55:46,143 	[RequestHandler-1-0x7f2fad3e9700 r=R00000030-11-5225c73a h=1235 c=R00000030-11-5225c73a] INFO Core.PETaskScheduler - *** PE_TASK_SCHEDULE_RADIUS Completed ***

 

 

#AP225

Can paste some screen shots of your services.

Here is a same of a basic enforcement based and MemberOF in AD. Just make sure you add the AD as an Authorization source.

 

 

 

I could not able to attach the created service here please let me know how to attach it.

Just click the button in the bottom left coroner to add attachment.

 

Hi,

 

Please find the attached screen shot.

 

 

Service looks OK.

What does it show in access tracker? What error is it showing in the alerts tab.

You can also use the policy simulation to test with.

 

HI ,

 

I have observed that in authorization part you have added Local user SQL DB.

 

so whatever the roles i have created locally on CPPM where it will be stored whether i have to add any local user DB also in authorization TAB.

 

 

I have local DB because I also test with local users with role mapping. If you not using local users then you don't need to add it.

I have run into this same error.   Basicallly you are not able to read the memberOf attributes of the logged on user.  If you look at the "Computed Attributes" within Access Tracker, under the Input tab and under the Authorization Attributes; you'll likely not see any "memberOf" attributes; only UserDN.

 

I've seen this at a couple of customers.  One instance, the user was not a member of any groups aside from Domain Users (does not show as memberOf when set as primary group; this is normal).   The other instance we resolved it by elevating the permissions of the Bind account.

 

We verified this using an LDAP Browser using the Bind account; it it could not see those attributes despite having permission to.   Elevating permissions was OK with that customer, so we did not contact support to see if it was a known issue.

Hi Clembo,

 

Yes we are getting only User DN attribute when we look on access tarcker authorization part.

 

I have attached the attribute what we are getting in authorization part.

 

So can you explain be briefly what we have to do for resolving this issue. I am little bit weak in AD so can u give me any document or any screen shot for how to give the permissions for BIND ACCount.

 

Regards,

Nithin Kumar C V

Just to to test/confirm.

Check what account is used as the Bind account under the AD Authentication Source.  Check what permissions that account has in AD.  Then, add it to a higher priveleged group; Domain Admins for example.  ****This is usually not necessary; just want to see if it helps with you reading all the needed attributes.   Make sure the group change has replicated to the DC you are using for your authentication against in your AD authentication source.

 

Are the results any different?

Hi All,

 

In my case whats happening is the domain machine is authenticating and in AD all the domain machine are in single OU so its not differenticating the user.

 

we think for this we need user authentication to happen so that we can diffrentiate the users and to get there desired VLAN so we need clarification how to do user authentication on EAP-TLS.

 

machine and user authentication for EAP-TLS or only User authentication for EAP-TLS

 

 

As per the end user they have issued the certificate for each user also.

 

Regards,

Nithin Kumar C V

:(

You could still accomplish this by putting the computers in groups and use your mappings based on that vs. OU placement.  

 

If you want to use user and computer EAP-TLS this is possible.   The configuration is really on the client side.  Windows has a setting that says whether to user User Authentication, Computer Authentication, or User or Computer Authentication.    This setting is under the Advanced Settings button of the wireless configuration.

 

• If User Authentication - Device only will get on wireless network when the user logs in using the user's credentials/certificate
• If Computer Authentication - Device will use computer credentials/certifiate pre user logon and post user logon
• If User or Computer Authenticaton - Device will connect to the wireless network using the computer's credentials/certificate when no user is logged in.  When a user logs in, Windows will reauthenticate the device with the user credetials/certificate

If you want to use EAP-TLS and ClearPass to not only authenticate the users, but to also authorize them based upon groups or other attributes, you may need to turn on Certificate Comparison in the EAP-TLS Authentication Method you are using for your service; if you haven't already (I usually create a new EAP-TLS method for my customers with this).

 

 

Thanks a lot for your support and guide lines.

 

:)