Security

 

Hello Guys

It is possible to do this?

i got this scenario

1 company in 2 countries

In one country, which is the one i am, lets name it country A. They want to use onguard(they got license only for their devices)

This country got their own Clearpass and their own wireless controller

The other country, country B, have their own clearpass and also their own controller but they dont have clearpass onguard license

 

Both countries will use 802.1x EAP PEAP.

Situation:

Country B have their own controller and their own clearpass to let the users in their country to get the network using eap peap and they authenticate with their clearpass and just users in a group of their AD can get in.

They also added the domain controller of Country A so they could tell in their policies which users are allow to join their network when users from country A visit country B

 

Now

In country A i will need to have to do something similar as some users of country B comes to country A. I will need to join their domain also. Our clearpass will have country A and country B domain.

i would like to know if i could make a service decision based in the authentication source. For example if someone from country B visit us, it will be a policy that authenticate with EAP PEAP and that will not have any onguard policy. And ill have another policy for our users that will have onguard

I saw that in the service i can punt a rule based on authentication source, i was wondering if that works

 

Or i dont know if im complicating ths too much and i could just put it in one service and just in the enforment conditions to tell if the user is using this authenticating source then just do this. But im not sure if the "Use cached Roles and Posture attributes from previous sessions" will affect in any way if i got both things on the same service.

 

Cheers

Carlos

Hi,

 

In your service policy, you can match on NAD IP address belonging to a device group as part of your service.. Accordingly, you can apply different policies based on the matched service..

 

 

So you can create different device groups

 

Hello Ayman

Thanks for your reply, but in my case that does not apply, if the users from country B come to country A, the NAD of the Clearpass in country A is only the controller of country A.  

We use the same name of the SSID of country B

Both controllers are completely separated, both are master controllers

The only thing we are doing, is that in our clearpass, we are adding their DC as authentication source and they are adding our DC as authentication source so we can use them.

 

The thing is like the same company but they are not at the same time... its kind of confusing but its like that, they are like sister companies, that's why they got everything separated like that, but they share some stuff  too.

 

Cheears

Carlos

 

Hi,

 

Yes you can use your logic based on authentication source. This is fully supported.

 

In my lab for example, I have this role mapping, to match on which authentication source was used..

 

Then I used the roles in my enforcement policy..

 

You can do the same directly in your enforcement policy. In your case, in your enforcement policy you will not check /ignore the Tips Posture for the other site (based on your requirements)

 

Yes you can , you have to add both AD sources as authorization sources and to make it simpler create role (tags) mapping based on the AD source : EMPLOYEE-A and EMPLOYEE-B

Once you do that , you can create policies using those role mappings , example :
- EMPLOYEE-B with no onguard (Unknown posture = Allow Access
- EMPLOYEE-A with Healthy Posture = Allow Access
- EMPLOYEE-A with Quarantine Posture = Quarantine Access




Thank you

Victor Fabian

Pardon typos sent from Mobile

Thanks Victor!!

i will try that! seems like a really easy solution

 

Thanks again!!!

 

Cheers

Carlos