Security

Hi All,

 

I'm trying to add a role mapping and enforcement policy to only allow devices on a static host list to onboard.

 

I'm adding this to the "Onboard Pre-Auth" service that was created via template. My problem is that I cant specify the mac-address from computed data to the static host list.

 

In access tracker I see:

Application:WebLoginURL:mac

98:01:a7:47:cd:c5

However, when adding either a role mapping or enforcement policy, I never see Application:WebLoginURL to choose from (just Application:, Application:ClearPass, and Application:SSO).

 

Do I have to add in some attributes somewhere to get this to work?

 

N

You would need to change Onboard to use a RADIUS authorization instead of
Application.



Just curious, why are you using MAC address here? What's to stop me from
changing my MAC to Onboard?

Well I guess you would need to know the mac to change to, but your point stands. Nothing would stop you.

 

All I'm trying to do is to add some additional security to prevent someone from onboarding an unapproved device and get onto a corporate SSID. I'm using dual SSID with a register link on the guest captive portal (which is open auth ssid). You need to log in with a guest account to provision, but thats only a 6 character pin.

 

Do you have any better suggestions?

 

N

 

 

 

If that's the security requirement, then that's the way to do it. Just
wanted you to be aware of that it can easily be spoofed.

If that's the security requirement, then that's the way to do it. Just
wanted you to be aware of that it can easily be spoofed.

When deleting the onboard cert, how log does it take before the device no longer can connect via TLS? It seems like devices still operate even when removed from onboard.

 

If you have your EAP-TLS method configured for OCSP, the next time it
attempts authentication, it should be rejected.

If you have your EAP-TLS method configured for OCSP, the next time it
attempts authentication, it should be rejected.

Ah that was it, TAC disabled it the other day. Thanks.

 

N

Hi Nick and Tim,

 

I'm trying to do something similar where I want to restrict onboarding to both a static host list as well as AD credentials. The intention is that only whitelisted devices can be onboarded by staff.

 

Onboarding is occurring via an onboarding SSID, and after onboarding devices will be on a corporate eap-tls SSID.

 

The trouble I'm facing is that even though I've created a static host list as an authentication source, the option to use it as an authorization source is greyed out.

 

In my enforcement policy I wanted the ruleset to look something like:

tips // role // equals // user authenticated

Connection // Client-Mac-Address // BELONGS_TO_GROUP // --SHL-- name

 

I'm not able select or get the SHL component working. I tried setting the onboard authorisation to radius as well as application (two separate services) and was unable to get either working with the SHL. Onboarding without the SHL works fine.

 

Do you have any suggestion or ideas on how I could get this working? I thought another option would be to host a sql db externally and use it as an authorisation source but it seems like this should be achievable with the SHL..

 

Thanks in advance. Cheers,

 

Liam

 

 

How is doing the onboard? Staff or the end user. If staff is doing the onboard you can use some authorization attributes from the authentication source, for example an AD group where the staff people belongs to.

 

If you want to filter based on the client MAC address I should say use the endpoint database for this. You can add on additional attribute in the Endpoint database and filter on this.

Hi Willembargeman,

 

Thanks for the reply. The onboarding will be performed by the end users (who happen to be staff members).

 

The reason I want to authorize against the SHL is to make sure the device being onboarded is a managed device, and not just any BYOD device the end user tries to onboard. The customer is using a cloud version of Sophos MDM which unfortunately doesn't have any native integration with ClearPass. I only want to allow devices that are under Sophos MDM management to be onboarded.

 

The plan I came up with was to export the list of device MAC addresses from sophos into the SHL, and then use the SHL as an authorization source when onboarding.

 

I realise the SHL will have to be manually maintained but without any native integration this is a limitation I have to work with. I thought it would be simple to add a MAC address validation to my onboarding authorization policy but it's proving harder than I expected.

 

Also worth mentioning that the 'onboarding SSID' is available to public/visitors which is why I want to use a combination of both AD credentials and the SHL.

I was hoping that when adding the SHL as a static host list that I would be able to tick the box in this screenshot to enable it as an authorization source but it's greyed out..

 

Belongs to group with an SHL will always work without an auth source.



Why would you authorize based on MAC address though? Kind of defeating the
point of a secure credential.

You would need to do this in your Onboard Authorization service instead of pre-auth.

Just curious, why are you using MAC address here? What's to stop me from changing my MAC to Onboard?