Security

Reply
Contributor II

Web/MAC auth tied to specific auth source and AP-group.

So multi-building, multi-campus environment here.

 

I have had a web/MAC auth service up and running for our guest/legacy device network. It states the following:

 

OPENSSID-ROLE

1. (Endpoint:Username EXISTS ) [MAC Caching]

2. (Authentication:Source EQUALS [FACSTAFF AD]) [Facstaff]

3. (Authentication:Source EQUALS [MISC USERS MSSQL]) [SQL]

4. (Authentication:Source EQUALS [STUDENT AD]) [Student]

5. (Authentication:Source EQUALS [Guest User Repository]) [Guest]

 

ENFPOLICY

1. (Authorization:[Endpoints Repository]:Unique-Device-Count GREATER_THAN 3) [Deny Access Profile]

2. (Tips:Role EQUALS [Facstaff])  AND  (Connection:NAD-IP-Address BELONGS_TO_GROUP CAMPUS1) [CAMPUS1 Guest Role], MACAUTHSTUFF

3. (Tips:Role EQUALS [Student])  AND  (Connection:NAD-IP-Address BELONGS_TO_GROUP CAMPUS1) [CAMPUS1 Guest Role], MACAUTHSTUFF

4. (Tips:Role EQUALS [Guest])  AND  (Connection:NAD-IP-Address BELONGS_TO_GROUP CAMPUS1) [CAMPUS1 Guest Role], MACAUTHSTUFF

5. (Tips:Role EQUALS [Facstaff])  AND  (Connection:NAD-IP-Address BELONGS_TO_GROUP CAMPUS2) [CAMPUS2 Guest Role], MACAUTHSTUFF

6. (Tips:Role EQUALS [Student])  AND  (Connection:NAD-IP-Address BELONGS_TO_GROUP CAMPUS2) [CAMPUS2 Guest Role], MACAUTHSTUFF

7. (Tips:Role EQUALS [Guest])  AND  (Connection:NAD-IP-Address BELONGS_TO_GROUP CAMPUS2) [CAMPUS2 Guest Role], MACAUTHSTUFF

8. (Tips:Role EQUALS [SQL])  AND  (Connection:NAD-IP-Address BELONGS_TO_GROUP CAMPUS2) [CAMPUS2 SQL Role], MACAUTHSTUFF

 

My issue is the following. The SQL auth source contains a subset of users that rent spaces from us for six or so months at a time. I want to be able to web/MAC auth (we require re-logins every 8 hours) them like I do everyone else, but I only want them to be able to do their initial login from two buildings in particular (where they rent space). I copied my original service, moved the copy above the original, and put a Radius:Aruba Aruba-AP-Group EQUALS BUILDING-AP-GROUP in the service.

 

I haven't enabled the service yet, but my first thought is that users from all auth sources go into BUILDING-AP-GROUP. If they hit my newly created service, they'll just fail auth I think and never roll down to the next (original) service where they would normally work.

 

Thoughts?

Guru Elite

Re: Web/MAC auth tied to specific auth source and AP-group.

Are there any other users in that SQL source other than those unique ones?

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Contributor II

Re: Web/MAC auth tied to specific auth source and AP-group.

Nope. Every 4-6 months they're going to forward us class rosters (smaller colleges hosting distance learning in our shell spaces) and we'll add/remove from the SQL DB as necessary. It's completely seperate from our facstaff/students and traditional guest users.

Guru Elite

Re: Web/MAC auth tied to specific auth source and AP-group.

you should be able to use a rule that checks the auth source and ap-group and move it to rule #2.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Contributor II

Re: Web/MAC auth tied to specific auth source and AP-group.

For the enforcement policy there isn't a CONNECTION -> AP-GROUP, but there is a CONNECTION -> AP-NAME. I'm guessing a BEGINS_WITH would probably work in this situation? Or did you mean something else entirely? :)

Guru Elite

Re: Web/MAC auth tied to specific auth source and AP-group.

You would need to do a role map to use the radius Aruba ap-group data. Then reference that TIPS role in your enforcement along with the auth source.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Contributor II

Re: Web/MAC auth tied to specific auth source and AP-group.

1.(Authentication:Source  EQUALS  [AD])[Facstaff]
2.(Authentication:Source  EQUALS  [EAD])[Student]
3.(Authentication:Source  EQUALS  [Guest User Repository])[Guest]
4.(Authentication:Source  EQUALS  [MSSQL]
AND  (Radius:Aruba:Aruba-AP-Group  EQUALS  C1-B14)
[SQL]

 

I added the AP-Group RADIUS flag in my role mapping as suggested, however, when testing in a different building (C1-B10, etc) using my MSSQL creds ClearPass passed me through as a guest user.

 

Policies Used -
Service:
[AccessSSID]
Authentication Method:
PAP
Authentication Source:
Sql:IP-HERE
Authorization Source:
[Endpoints Repository], [MSSQL]
Roles:
[Guest], [User Authenticated]
Enforcement Profiles:
[Guest Role]
Service Monitor Mode:
Disabled
Online Status:
 Online

 

I guess my understanding of role mappings isn't quite there yet. Since I have the AND operator in the role mapping I thought that if it didn't meet both reqs the auth would just fail. Is that not correct?

Guru Elite

Re: Web/MAC auth tied to specific auth source and AP-group.

The role is likely being cached. I'm re-thinking this a bit.


You might be better off duplicating your service and checking for the AP-group in your service rule. Then remove the authentication source in the old (regular) service.

 

Make sure the new service (with AP-group) is above the old service.

 

service-rule-apgroup.JPG

 


| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Contributor II

Re: Web/MAC auth tied to specific auth source and AP-group.

As I have two seperate AP-Groups that the MSSQL users need to be able to auth from, would I have to build two seperate services?

 

My original worry with building out a new service was that if an AD/EAD user hits this service by way of connecting to the AP-Group specified by the service that they would get rejected as they don't fall into the MSSQL auth source. I figured they wouldn't make it down to the next AccessSSID service.

 

I need to get a lab setup!

Guru Elite

Re: Web/MAC auth tied to specific auth source and AP-group.

For the multiple AP-groups, use the belongs-to operator:

 

aruba-ap-group_belongs-to.JPG

 

Is there anything unique about the usernames in the database that we can key on? Like a guest- prefix? How about something that isn't in a normal username (for example a period -  tcappalli vs tim.cappalli)?

 

 

 

 


| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: