Security

I am reverse-engineering a Clearpass install and config that another admin completed.  One thing I've run into is assigning the default enforcement profile [Allow Access Profile] allows access AND sets the "Aruba-User-Role" on the Aruba controller to "authenticated"  Is there anything else happening under the hood?  What actually happens when "[Allow Access Profile]" is enforced.

 

Finally, is there a flow-chart somewhere that shows all of the decisions Clearpass makes and how a service is affected (I.E. Service profiles to Roles to Role mappings to Enforcement profiles to Aruba-User-Roles, etc)?

 

Any help is appreciated!

Allow Access simply sends back an Access Accept. If you're returning any other RADIUS attributes, the Allow Access Profile is not necessary.

What do you mean by "If you're returning any other RADIUS attributes"

 

Again, I'm new to Clearpass in general.  Also, is there no flow chart?

If you return other enforcement profiles that contain other RADIUS VSAs, then allow access is redundant and not needed. It is only used when you're not returning anything back to the NAS.

I set up a test service and I've attached an image below.  I'm not using Roles at all and when I connect to the network (SSID-Name) with the user "TEST-USER" and provide proper AD credentials, I get authenticated and on the Aruba controller, I get assigned the Aruba-User-Role "authenticated" --That's what I'm trying to figure out. 

 

Where is that role "authenticated" coming from?  As far as I can tell with my settings, all that's happening is the [Allow Access Profile] is being applied because that day of the week condition will always be true.

 

'authenticated' is likely set as the default 802.1X role on the controller in the AAA profile.