Security

I have a deployment where I would like to use a specific AD Attribute to authenticate users at one particular location if their attribute matches a particular number.

Therefore all users having this attribute along with this number are allowed to authenticate at location A and nowhere else.

User's at location B will have the same attribute but with a different number.

The number can be a store #, dealer #, something that identifies which location they belong to.

 

Not too sure how to go about configuring this. We are using EAP-PEAP MSCHAPv2 to authenticate the users. I assume somewhere in the enforcement profile i will be validating against the attribute whether it is exists and checking the value and then how do i go about linking that number to the location?

 

The other thing is that if the attribute contains a specific word let's say 'allow', then this user can authenticate at all the locations.

 

I know this is possible but not too sure how to implement right now.

 

Create a custom device attribute and add the same value to the NAD entries. So if location A was value 1, then add a custom attribute the NADs in that location with a value of 1.

Then you can just write a two rule policy. One that checks if those two values match. Another that looks for the all value.


Thanks,
Tim

thanks now is that method scalable? I have about 200+ sites..

I'll give it a shot.

Yes because you already have the NADs defined, you're just adding a single value. Your enforcement policy can be 2 rules total and handle all of those sites.


Thanks,
Tim

In our environment, I added the location attribute for all of the devices to take preference over the closer Regional Clearpass. This is a very useful option.

k, thanks.
Let me give this a shot and post back once I do or run into issues

I believe I got it to work.

Took me a while to fully understand what you were saying Tim, it is not that obvious when you are looking at Clearpass from a n00b point of view but I figured it out.

With these rules, if I modify the NAD to have "national" and my user has 12345, I am denied access, if I change my NAD to 12345, my user can connect.

 

This is blowing my mind for such as simple item.

 

Thanks all.

 

Your rule would reference the variable for the entry in the device list, not a static value. That allows it to be completely dynamic for each store with only 2 rules.


Thanks,
Tim

Ya trying to make it work currently, no success.

I have it doing something like this
(Authorization: AD (no proxy):physicalDeliveryOfficeName EQUALS %{physicalDeliveryOfficeName})
 AND  (Device:dealer EQUALS %{dealer})

(Authorization: AD (no proxy):physicalDeliveryOfficeName EQUALS %{physicalDeliveryOfficeName})
 AND  (Device:dealer EQUALS national)

Not working yet…will continue to troubleshoot.

Well that dealer value is stored as the AD attribute correct?


Thanks,
Tim

The dealer value is stored in the device.

physicalDeliveryOfficeName is stored as the AD attribute.




​​​​​

Right, but those are the two values that should match to allow access, correct?


Thanks,
Tim

Yes, sorry my bad misread your question.

Those 2 attributes should match for a user connecting at location A, if the user is at location B, they should not connect.

The "ALL" is fine since every user will have the word "national" as an attribute value

So your first rule would look like this (replacing the attribute names with yours):

 

I see where I went wrong. Thanks this worked.

I'll modify the ALL now.

[edit] spelling..

One more quick question regarding this.
After creating the attribute in the network device.
In the enforcement policy now where I am checking against the %{Device:dealer} and "national"
I know this may be trivial, but how would I REGEX for the word national.
I saw a string like this for example:
'CH National/ 123 miller avenue'
Obviously this does not meet the requirements because it does not have the word 'national' only but it contains it.
Anyway to simple regex the crap out of it so the user can authenticate?

You should be able to use the MATCHES_REGEX operator.

I just need to make it wildcard based so that I don't have to type in the value manually.
Each location will have a different attribute value so checking against a static value is not going to work for me