Security

I'm looking to enhance our existing 802.1X service. We place all devices into a shared pool. I've built device registration using ClearPass guest. What I'm looking to do is leverage the device registration so that when an 802.1X authentication completes successfully, ClearPass looks to see if it is a registered device and if so, implement policy based on that registration.

I've added the "[Guest Device Repository]" as an additional authorization source, and also tried adding a reference to the Guest Device Repository in my role mapping. However it seems the only attributes pulled out of the guest device repository are "Account Status" and "Sponsor Name". Is it expected that I add additional SQL filters to the [Guest Device Repository] in order to leverage the other items used in the guest registration page(s)? In <6.3.x, I could see all the attributes associated with a registered device from CPPM's perspective. Now that the "Guest Users" and "Guest Devices" has been removed, the CPPM perspective of atributes is invisible to me.

How is it suggested I make this work?

You could apply a custom attribute (Post Authentication Enforcement Profile)  "Register=Yes" to the Endpoint database on the Service you are using to Guest registration page  and once the device gets register and then use that attribute to make any decisions

Ryan - When you add the Guest User Repository, you should be able to use all of these attributes:

Ah, I was using the "Authorization:[Guest User Repository]" instead of just "GuestUser". Thanks for pointing that out. I'll play around with this now and should be able to get it to work.

Old post, but.. Did you ever get this to work - and if so - how? I'm looking at the exact same scenario..

I'm not getting any GuestUser values to use for authorization.

Been trying this back and forth with no success. Contacted Aruba TAC and still unable to get this to work.

So - I'm down to using Static Host List instead, which works - even tho it's not ideal.

If this is doable - please share the details ;)

Sorry you're having issues. I just looked in my lab and with "GuestUser", I have all the custom attributes I created (e.g., "osu_affiliation"). See the screen shot.

I also went into the guest side for that field and took screen shots in hopes that it helps you. Perhaps it has to be a certain type of field (e.g., string)?

Thanks for the reply Ryan.

Problem isn't to create the rule, but actually getting those attributes during the auth process for the rule to match against.

In my service I've added both [Guest device repository] and [Guest User Repository] as Authorization sources. AD is authentication/authorization source.

I created the device in Guest as Guest Device (with a custom field).

Connecting the device to the 802.1x SSID triggers the service and all wanted attributes from AD and [Guest Device Repository]. No attributes are available/visible in Access Tracker from [Guest User Repository], and thus the rule can not get a match for them.

So I'm wondering what else you had to do to actually get those attributes 

Ryan, ok I understand that you have a different process for this than I have. While you have some sort of self-registration mactrac thing going on, I want to pre-register the device with some attributes linking the device to the user.

Tim, problem is that role_id is not available in the tips_user_db. My Aruba TAC contact wasn't able to figure out in which table it was either, but hopefully he will find a way. Perhaps you already know?

This isn't exactly what you're looking for but it's a good example of how to join the informations from the different tables to get the role_id.

SELECT 'NOPASSWORD' AS User_Password,
CASE WHEN enabled = FALSE THEN 225
    WHEN ((expire_time is not null AND expire_time <= now())) THEN 226
    ELSE 0
END AS Account_Status, sponsor_name, t2.tag_value AS role_id
FROM tips_guest_users g
LEFT JOIN tips_guest_user_tag_mappings t1 ON (g.id = t1.instance_id)
LEFT JOIN tips_tag_values t2 ON (t1.tag_value_id = t2.id)
WHERE (g.guest_type = 'DEVICE')
  AND (g.user_id = UPPER('%{Connection:Client-Mac-Address-Hyphen}'))
  AND (t2.tag_id = (SELECT id FROM tips_tag_definitions WHERE name = 'Role ID' AND entity_id = (SELECT id FROM tips_dic_internal WHERE dic_prefix = 'GuestUser')));

Tim, that is awsome!

I manually created a copy of the [Guest Device Repository] and did some small adjustments to the SQL you provided and voila - I got the darn role_id attribute to authorize my devices!

I found just one reference on google to that SQL you provided so it's a **bleep** well kept secret you dug up there!

Thanks a bunch!

Thanks to @SethFiermonti on this one as well.

We are having issues with the custom query when upgrading to CPPM 6.6.  As noted the tips_guest_user_tag_mappings/values are now mostly stored in the attributes blob for an entry in the tips_guest_users table.  I've updated the query with what I think is the appropriate SQL.

SELECT 'NOPASSWORD' AS User_Password, 
  CASE 
    WHEN enabled = FALSE THEN 225 
    WHEN ((expire_time is not null AND expire_time <= now())) THEN 226 
    ELSE 0 
    END AS Account_Status, 
    sponsor_name, 
    attributes->>'Role ID' AS role_id 
  FROM tips_guest_users g 
  WHERE (g.guest_type = 'DEVICE') 
    AND (g.user_id = UPPER('%{Connection:Client-Mac-Address-Hyphen}'));

I completely removed the second AND in the WHERE clause for two reasons:

1. I couldn't find the tips_tag_values.tag_id column or its like anywhere in the updated database
2. That second AND statement seemed like it was just trying to validate that the Role ID for a device was actually a GuestUser role.  Maybe I'm being ignorant but that seems a bit redundent given the datasource.

Here is the removed AND statement (same as Tim's post).  Any idea if I should be validating it some other way?

...
AND (t2.tag_id = 
        (SELECT id 
        FROM tips_tag_definitions 
        WHERE name = 'Role ID' 
          AND entity_id = 
              (SELECT id 
              FROM tips_dic_internal 
              WHERE dic_prefix = 'GuestUser')

Aaron - is this for the Enterasys MAC-auth workaround?

Yes, exactly!  I'm impressed you remembered.

Try this:

- In the auth source, add a new filter and call it Authorization Custom Queries.

- Use this SQL query:

SELECT tgu.attributes->>'Role ID' AS role_id FROM tips_guest_users as tgu WHERE tgu.guest_type = 'DEVICE' AND tgu.user_id = UPPER('%{Connection:Client-Mac-Address-Hyphen}')

- Add the role_id attribute like shown below (ignore the filter name):

You can then use that in your policy.

Thanks Tim, that pretty much validates what I assumed about getting the role ID from the attributes blob. I'll do some testing and post back if there is any issue.

Hey Tim. How does the SQL query change if checking the Guest User rather than the Guest Device repository?

@cappalli wrote:

Try this:

 

- In the auth source, add a new filter and call it Authorization Custom Queries.

- Use this SQL query:

 

SELECT tgu.attributes->>'Role ID' AS role_id FROM tips_guest_users as tgu WHERE tgu.guest_type = 'DEVICE' AND tgu.user_id = UPPER('%{Connection:Client-Mac-Address-Hyphen}')

- Add the role_id attribute like shown below (ignore the filter name):

 

 

You can then use that in your policy.

 

Sorry to resurect an old thread, but it's still one of the top results when searching for using the guest user role ID in the authorization policy.

For some reason using this query adds significant latency (150 ms) to the authentication process.  This hasn't mattered much in the past, but Apple seems to have changed something in how Mac OS 10.12 and 10.13 processes the 802.11 association request/response.  In short, if there is more than 300 ms latency in this process the device will fail to associate.

We were able to make the guest user role ID usable in the role mapping and enforcement policies by moving up the [Guest Device Repository] to the top of the list of authentication sources.  This step is important, because once ClearPass finds an authentication source (as of 6.6.7), it will stop looking at any of the other defined sources. 

Then in the role mapping policy, use the GuestUser type with the RoleID attribute to map the role ID to a specific user role.

Hopefully someone else finds this useful.

Thanks

Yes, correct. [Guest Device Repository] should always be at the top. Also, you shoud NOT have [Time Source] or [Guest User Repository] as authentication sources in a MAC authentication service.

Hey Tim,

What would the SQL query be if we were looking at the role_name instead of role_id?

The use case is the same as for role_id, but its easier to understand in the role mapping policy if the device's role is there instead of just id, although, I guess that's what "Role Mapping" is for? Still curious if you wouldn't mind.

Thanks.

You need to use role_id either directly in policy or via role mapping.

Also, this thread is very dated. These queries are built in to 6.7+.

Good to know, I wasn't aware these have become available. We're planning on upgrading in February, so that will make life easier.

Thanks letting me know that

Hoping this is still relevant.

Came across this issue just this morning as I wanted to use the Guest Device Respository for authorisation, specifically tagerting the Role ID. I'm using 6.6 and it appears the tips_guest_user_tag_mappings structure has been replaced by utilising the "attributes" field in JSONB format in the tips_guest_users table.

After some work, I managed to pull back the Role_ID from the attribute field using the below by adding the device_role attribute to the existing filter:

SELECT user_credential(password) AS User_Password, CASE WHEN enabled = FALSE THEN 225 WHEN ((expire_time is not null AND expire_time <= now())) THEN 226 ELSE 0 END AS Account_Status, sponsor_name, CASE WHEN expire_time > now() THEN CAST(EXTRACT(epoch FROM (expire_time - NOW())) AS INTEGER) ELSE 0 END AS remaining_expiration, attributes->>'Role ID' as device_role FROM tips_guest_users WHERE ((guest_type = 'DEVICE') AND (user_id = UPPER('%{Connection:Client-Mac-Address-Hyphen}')))

Hope this helps!