Security

Upcoming community maintenance Oct. 27th through Oct. 29th
For more info click here
Reply
Highlighted
All-Decade MVP 2020

Re: Howto: Airwave authentication via Clearpass

Troy,

Can you try and reproduce what I'm doing though? Use your AD for authentication but then use the Local database for authorization.

- Ryan -
==========
Ryan Holland, ACDX #1 ACMX #1
The Ohio State University
Highlighted

Re: Howto: Airwave authentication via Clearpass

Yes I was able to get it working. I will be in my office tomorrow if you to have a quick call in the afternoon
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Highlighted
All-Decade MVP 2020

Re: Howto: Airwave authentication via Clearpass

Troy,

Not sure how you got that to work. When I try to copy the [Local User Repository], I get this error:

"You are not allowed to copy a Local type of Authentication Source"

. . . so, how were you able to pull this off?

- Ryan -
==========
Ryan Holland, ACDX #1 ACMX #1
The Ohio State University
Highlighted

Re: Howto: Airwave authentication via Clearpass

Ryan,

 

I copied my AD source not the Local user.

 

I copeied that one so I could modify the setting not pull role atributes for that service. Im pulling roles for other services from my AD so I didnt want to mess with the original.

 

I Authenticated against AD and then just authorized off the local DB roles assigned to the same username.

 

 

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Highlighted
MVP

Re: Howto: Airwave authentication via Clearpass

Could you leave the option "enable to use this authentication..." option enabled and still accomplish the goal?

 

I believe that we are doing something similar except we are using two external LDAP's.

 

The common point between the two is the user name. We can then use this name to do lookups in the secondary LDAP as the secondary source contains far more information. We then added the secondary LDAP as an authorization souce. In the Access Tracker we can see attributes pulled from both the authentication source as well as the authorization source. 

 

I think you could build rules based on both. Not sure if it works differently with the local db though.

 

 

Highlighted

Re: Howto: Airwave authentication via Clearpass

The problem is that if you leave that checked and CPPM finds that they belong to a group it will use that as the member of.

You most likely be able to do it with some creative policies but it was just easier in my lab to disable that option so CPPM will only look at my local roles.
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Highlighted
MVP

Re: Howto: Airwave authentication via Clearpass

Ah that makes sense!

 

I am not 100% familiar with the working relation between the CPPM and AD as I don't have an AD to work with directly.

 

keeping it simple is alway better when possible!

 

Thank you for the clarification!

 

Cheers

Highlighted
All-Decade MVP 2020

Re: Howto: Airwave authentication via Clearpass

Troy, support has told me I had to submit a feature request, as this is not currently supported.

https://arubanetworkskb.secure.force.com/cp/ideas/viewIdea.apexp?id=08740000000LDzm

 

If you have this working, please let me know when you have time so we can get this working at OSU.

 

Thanks!

==========
Ryan Holland, ACDX #1 ACMX #1
The Ohio State University
Highlighted
MVP

Re: Howto: Airwave authentication via Clearpass

I followed your instructions before I had a handle on roles and enforcement (not sure I do yet) and it didn't work for me.

 

After getting several other device groups working and learning a bit as I did, I was able to fix my implementation of your instructions.

I'm not sure if it's a typo, or just a stylistis varyation, but "fixing" it made mine work.

 

Under "Create an Airwave Enforcement Policy:" you have:
 7. Mine looks like this:

 ...
  iv. Airwave-Admins

 

while under "Create an Airwave Login Service:" you have:
 7. Under Roles select the "Role Mapping Policy"...
  v. Actions > "Role Name" > "Airwave Admins"

 

I edited the enforcement policy to use the role equal "Airwave Admin" (note the space vs. dash) so that the two stanzas match and got much better results.

 

--Matthew

if I've helped, please give kudos
if I've provided a solution, please mark the solution so others can find it
Highlighted
All-Decade MVP 2020

Re: Howto: Airwave authentication via Clearpass

Matthew, can you explain this further? Are you refering to screen shots, because I didn't see any. It's just not clear what you have created. I appreciate the involvement; let me know what you have.

 

Thanks!

==========
Ryan Holland, ACDX #1 ACMX #1
The Ohio State University
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: