Security

Hello community,

We're having some concerns regarding the sharing of ClearPass QuickConnect file between Windows machines. As we have tested, after login succesfully at the onboard portal, a user (let's say user1) is prompted to downoad a QuickConnect file and use that file to install profile on his machine. He will then have a certificate with CN = user1 and MAC = user1's machine. If user1 shares that QuickConnect file with user2 and user2 runs that file on his machine, he will also have a certificate with CN = user1, but MAC = user2's machine.

How do we prevent this situation from happening? Is there a way to construct a policy on CPPM to stop it?

Thank you,

Hi all,

I believe I have a working solution for this issue. Will do more testing later.

1) At the Onboard Authorization rule, add a Post_Authentication enforcement profile (along with [Allow Application Access Profile]) to add a new attribute: Endpoint:Username = %{Authentication:Username}

2) Add the following rules to role mapping:

         Endpoint:Username  NOT_EXISTS 

OR   Endpoint:Username  NOT_EQUALS  %{Certificate:Subject-CN}

--> assign role "Invalid Certificate"

3) On the enforcement policy, add the following rule:

    Tips:Role  EQUALS  Invalid Certificate  --> [Deny Access Profile]

Thank you,

Hi all,

Actually it didn't work as I expected. I cannot add a new Endpoint attribute during onboard process, as described above. Is there any way to do it (update Endpoint attribute during onboard)?

Thank you,