Security

I have Onboarding setup and working in clearpass.   Currently it allows an authenticated user (in AD) to onboard whatever device they want.   I would like to add additional criteria so that the user must be an AD authenticated user AND the Endpoint they are onboarding must also have a specific attribute set in the Endpoint database.  I would prefer this to happen when they login to the Onboard webpage.  

I suspect I need to add the Endpoints repository as an Authorization Source to one of the Onboard services but which one (Pre-Auth, Auth or Provisioning)?  And then add logic in the Enforcement Policy to look for [Authenticated user] AND "endpoint attribute"=X

Am I off in the wrong direction, what am I missing? 

You are on the right track.  Use the Auth service and put the endpoint repository in the Authorization tab, then create the Enforcement Policy to look for the attribute you specified.

Thanks.   I tried that but was still having a problem because when the users got to the Onboard Pre-Auth service that service didn't know anything about the endpoint.   It had no end-host identifier to lookup in the endpoints database to get authorization information for.   

When I changed the Authorization Method in the Provisioning settings from "App Authentication" to "Radius" suddenly the Onboard Pre-Auth service did get the end host identifier populated and was able to look for the proper attribute in the endpoints database.  

Hi ! 
I'm running into the same kind of situation, but I failed at reproducing your solution, can you give some details to it? How did you transform the pre-auth service for it to run with the radius instead of app auth?

I think this is what I have missing because the informations about the device never transit and so clearpass can't verify if it comes from AD..

thanks in advance !

Please be specific. What specifically are you trying to do?

hi, and thank for your answer ! 

I was trying to limit the onboarding process to certain devices. I already limit the onboarding process to certain accounts. Example : Only AD members of clearpassOnboarding group can onboard devices. 

But they can also onboard some devices that I don't want them to onboard. 

If I only think of domain devices, I was trying to limit the devices that can be onboarded by AD groups membership. ie : I wanted to make onboard search if the device is in a specific group in our domain. and if not, refusing to onboard.

I know that onboarding process is typically for non-domain devices, but it not suits the needs of my customer

Yeah I understood..

Oh ! I understood what they wanted to do in the original post, I though that they talks about domain attributes but it was just from clearpass profiling endpoint repository ! 

Many thanks

For those who are coming here, it seems that we maybe can sort this out with some profiling + authorization. I haven't tested it though..