Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Role Derivation with Onboarding.

This thread has been viewed 0 times

  • 1.  Role Derivation with Onboarding.

    Posted Dec 05, 2014 02:33 AM

    Hi Guys.

     

    I´ve configure OnBording with Aruba Controller, I tested and it work fine but just with authenticated role, now i want to go beyond, I wanna do role derivation, but at this time I can´t make it works.

     

    I want send back to controller 5 diferent user role but diferentiate computer from smartdevices,

    I´m using local user database. then I create users locally, the roles directors, coordinators, systems, administrator were assigned to diferent users.

     

    I dont´t know if i have to modify the default ONBORDING post provisoning enforcement profile

     someone could enlighten me about this topic.

     

    thanks.



  • 2.  RE: Role Derivation with Onboarding.

    EMPLOYEE
    Posted Dec 05, 2014 07:47 AM

    lcornelio,

     

    What you can do will depend on the service that have already configured to authenticate onboarded clients, as well as what information is being returned from that authentication.  If the onboarded device is being profiled during onboarding and there is an OS or OS category for that device in ClearPass, you can use a role mapping policy to later trigger an enforcement policy that sends an enforcement profile that would set the Aruba role during authentication.

     



  • 3.  RE: Role Derivation with Onboarding.

    Posted Dec 05, 2014 09:05 AM

    You may have done this already but in order for ClearPass to get the device fingerprint you need add ClearPass IP address as a DHCP relay under the SVI on your Core or Distribution switch or where that SVI leaves

     

    interface vlan 2

    ip address 192.168.2.1 255.255.255.0

    ip helper-address <ClearPass Server Address>

    You need to add the Endpoint Database as an Authorization Source.

    2014-12-05 09_55_11-ClearPass Policy Manager - Aruba Networks.png

    Then you create a rule with a condition that
    authorization : endpoint database > category > SmartDevice or Computer



  • 4.  RE: Role Derivation with Onboarding.

    Posted Dec 05, 2014 09:48 AM

    Here's an example:

     

    2014-12-04 07_40_24-Chrome Remote Desktop.png



  • 5.  RE: Role Derivation with Onboarding.

    Posted Dec 05, 2014 12:06 PM

    HI Vic.

     

     

    thanks for your response, let me firt this is my first experience with clearpass, I configure the SERVICE with ONBOARD wizard, this wizard generate 3 services.

     

    Captura de pantalla 2014-12-05 a las 10.04.17.png

     

    I understand the last ONBOARDING provisioning is the service that send back the User-role to the controller, I think I must clone this last one profile and make it changes.

     

    I´ve already configure the dhcp relay in the controller vlan1 to clearpass dhcp broadcast.

     

    let me show you in order what I did with images.

     

    firts I create a test user : galeman with role : SISTEMAS and SISTEMAS-DEP attribute

     

     

     

    Captura de pantalla 2014-12-05 a las 10.24.36.png

     

     

    Then I created a  Role Mapping like this one. ( at this point it was missing endpoint repository like a Authorization source in the service ) . now I add endpoint repository like a authentication source

     

     

     

    Captura de pantalla 2014-12-05 a las 10.32.10.png

    this Role mapping was added to ONBOARDING post-provisioning service.

     

     

    Captura de pantalla 2014-12-05 a las 10.37.56.png

     

    the enforcement policy used her  is the default generated by the wizard.

     

     

    Captura de pantalla 2014-12-05 a las 10.45.40.png

     

                   

    the enforcement policy  generated by the wizard is this one

     

     

    Captura de pantalla 2014-12-05 a las 10.47.10.png

     

    the allow access profile is just a RADIUS-ACEPT and WIIMAS-ONBOARD post provisioning 

    send back the autenticated role to the controller.

     

    Captura de pantalla 2014-12-05 a las 10.51.41.png

     

     

     

    the other enforcement profile.

     

    Captura de pantalla 2014-12-05 a las 10.52.47.png

     

    I understand that role mapping and posture define the enforcement policy and this last one is defined by enforcement profile.

     

     

    about the answer you sent fabian about the rules, I think I must generate a new enforcement profile with the rules like yours, is correct ? , If you see something wrong let me know. please any advice will be wellcome.

     

     

     



  • 6.  RE: Role Derivation with Onboarding.

    Posted Dec 05, 2014 03:49 PM

    about the answer you sent fabian about the rules, I think I must generate a new enforcement profile with the rules like yours, is correct ? , If you see something wrong let me know. please any advice will be wellcome.

     

    Yeah you create your own enforcement policy to match the flow of your preference.

     

    But before you do that you should create the different enforcement profile you need ( either to send a VLAN or Role) based on a certain criteria.