Security

Hi everyone,

 

(Please be warned, I'm extremely new to using Aruba CPPM, so if my question seems painfully basic,  you'll know why.)

 

We have a cluster of 2 CPPM appliances in our environment that have done very basic authentication (EAP-PEAP, MSCHAPv2) across many different domains for wireless access. The way that it is deployed today is as follows:

 

1. User attempts to join our wireless network.
2. CPPM identifies the user based on their domain, and then looks to see if they belong to a certain AD user group (this is done within various Role Mappings).
3. If they belong to this group (varies slightly per-domain), then CPPM grants them the default "Allow Access" profile for RADIUS.

Yes, it's very, very simple. This environment was set up for us many years ago by a consultant, and has seen zero improvement/tweaking since then. As I've inherited it, I'd like to improve upon the level of security we have today, as anyone can bring ANY device into our environment and join it to our corporate wireless network, as long as the user account they use to log in (where required; for example, on an Android device/iPhone) is a member of the proper AD user group.

What I'm interested in doing is requiring a user authentication request to only be permitted if (1) the user him or herself is a member of a specific AD user group, and (2) the computer they are using (corporate-provided) is a member of a specific AD computer group. Does that make sense (I hope)?

 

Please note that we are NOT using Aruba's wireless hardware, or solution of any kind. We're using Cisco Meraki APs that are pointing to Aruba CPPM for RADIUS authentication. So, it's a very limited deployment, Aruba-specific-wise.

 

Presently, I'm struggling with how to identify computers, and their AD group membership. It seems that (given our present configuration) I can only identify user-based attributes, since that is what I'm primarily searching in AD for. But, surely there has to be a way to identify computer AD group membership. I just need a way to identify computer attributes (and the computer the user is using to authenticate) as well.

Please let me know if there is more info I should be providing you that might help you to answer my question here.

 

Many, many thanks for your help in advance.

This is a fairly advanced scenario. You essentially have to update the endpoint database with a custom attribute that says the computer is the specific group since we can't obtain that information during a user authentication.

Are you working with an Aruba partner?

Hello!

 

As Tim said thats a fairly advanced scenario, tho not necessarily complex to implement.

One reason why you're only seeing User attributes might be that the clients themselves are configured to only do User-authentication. Change a client to do "Machine or User authentication" and you should start getting some more data in Access-Tracker you can use. Theres several guides on this forum for how to work with machine authentication.

This should help you get started:

 

 

These are both very solid starting points -- thank you both for your help and answers.

 

I need to spend some time playing with the info that a client machine will send CPPM, because as it stands, I'm not getting anywhere near the info I should be getting (as I'm using only "User authentication" under my wireless network's Advanced Settings; I should be using User and machine authentication" instead).

 

Will let you know how I make out. Thanks again, and hope you both have a great weekend.

I have a very similar scenerio where i want user authentication and the computer that they are using checked if it has an AD account.

 

Did you get yours working?

The screenshots above should help you...

Hey @Goofoff,

 

I only just now began testing this, but so far, I haven't had much luck. One of the issues I'm having right now is how to tell CPPM to check AD, to see if the machine doing the authentication is in the desired AD group. The problem with doing this is, what exactly do I tell CPPM to check based on? In other words, how would CPPM know anything about the machine, other than its MAC address? (It wouldn't.)

 

So, I'm trying to figure out a way to take the endpoint itself (the machine), and then somehow query AD to find out if the machine is in the desired AD group.

 

If anyone has any suggestions... please let me know. I'm pretty stuck at the moment.

So you're looking to use Machine authentication data during the User authentication?

Hi Tim,

 

Yes, that's correct. Ideally, I'd authenticate the user, and then simultaneously "check" if the machine is in a specific AD group. If the latter is true, then the Allow Access Profile will be applied. If not, then the entire authentication/authorization attempt will fail.

 

Does that make sense? Is that even feasible?

You essentially need to cache the machine authorization info (OU, groups, etc) into the Endpoint record so that you can leverage it during the User authentication.

I should also mention that I'm working through this guide right now, for testing purposes, to see how close it gets me to what I'm after (based on the initial description/overview, it looks really close):

 

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/How-to-Machine-AND-User-Authentication-in-Windows-with-Clearpass/td-p/208471

 

Hope this helps you, @Goofoff.