Security

Hello. I'd like to ask for a guidance one more time.

My goal is to start working with Clearpass, and i'm trying to bring simple lab. I have Win2016server, with AD working fine, CPPM 6.7, IAP305 latest, win7 as wifi client.

The task is - on the CPPM catch up users, who are member of Grupe1, attach them a role, by that role "enforce" them to be assigned a role on IAP with simple deny icmp any any (further - denyping).

The problem is that i don't even see CPPM passing the attribute Aruba-User-Role to IAP on the packet capture and the IAP is not catching it up also.

Here is the setup:

192.168.200.222 - CPPM, 192.168.100.20 - IAP

 As you can see policy is UserIsGrupe1

Policy:

 Nevermind the condition, pl_test (my role) is the default role - and it is working. (see below)

Here is the enforcement profile:

... and the Attribute i'd like IAP to receive.

The Enforcemenet policy

 Again, the condition might not work (thus it probably works) - but the Default Profile should work anyway.

And what i see on the packet capture:As you can see Accept-Accept, but there is no Aruba's vendor attribute. And IAP also don't see it.

Here is output from tracker:

And here is the Ouput:

Please, note - the Attribute is present, but it is not noticed on the packet capture, neither IAP recognizes it.

Here is just in case config from IAP:

All users fallback into ArubaRadio1 instead of denyping.

I understand that there is stupid-little-something that i'm missing for a such trivial case, but i can't catch it.

I'd really appretiate any advice. Thank you!

I think i'm.

Please also find attached CPPM log and packet capture files (just in case..)

Thank you!

Attachment(s)

clearpass-pcap.log.txt   8 KB 1 version

clearpass.log.txt   15 KB 1 version

1. In your enforcement profile, remove the device group requirement.

2.The "Aruba-User-Role" VSA does not require a role assignment rule on the IAP. The IAP sees that attribute and changes the user role

3.  I don't see "denyping" as a defined role on the IAP.  If the role you return with the VSA does not exist, the user just gets the default role.

Thank you cjoseph. But no luck - nothing has changed (after device removal)

And regarding the role assignment on IAP - i've tried both ways, just the pointing manually with access rule seemed as a required prerequisite. But it should work anyway i think. And it isn't.

Try to disable Monitor Mode in your service. The screenshot shows it is enabled.

Monitor Mode will return just an Access Accept, regardless policy/authentication, and is intended to see what would happen without actually doing it. From your description, this matches what you see.

That is exactly what is was.

Thank you very much! I can continue now :)