Security

Hi all i'm working on basically a radius to ldap proxy. I have a list of radius classes that link to ldap groups. For example.

 

classs rad_WestSide -> ldap memberOf contains WestSide

classs rad_EastSide -> ldap memberOf contains EastSide

 

This way if a user is in ldap group WestSide then radius class rad_WestSide is sent.

If user is in ldap EastSide rad_WestSide is sent.

 

The tricky part is if the user is in Weside AND EastSide.

 

I can see i'm matching EP_RAD_WestCoast, EP_RAD_EastCoast in the logs (enforcement policies out looks correct), but the radius accept message only contains rad_WestSide. I have verified with packet capture. If i move my rad_EastCoast enforcement policy to the top it will send instead of WestCoast. I'm thinking only a single enforcement policy can be used but i'm not wrapping my head around how to do this correctly. 

 

BTW i'm also set to evaluate all.

 

 

 

Its late hopefully that made sense. :D

Yes you would want a third enforcement profile that is used of both conditions are met. 

Well, that isn't really an option as the end game has at least 16 groups. I don't want to spend the next 3 months writing out 65k policies. :)

 

Are you saying there is no dynamic solution?

What radius attribute/VSA are you returning to the NAD? 

IETF Class (25). 

Oh and before I forget, thank you for your help!

What is the NAD? 

If you're just returning raw values, you can just separate them with a comma. 

%{AuthZSourceName:Attribute1},%{AuthZSourceName:Attribute2}

Checkpoint. I haven't tried CSVing the values, but i'm not understanding
how thats different from just adding a 2nd static Class attribute to the
enforcement policy.

I did test adding 2 class attributes to a single enforcement policy and
checkpoint parsed out the radius packet correctly so that part is good.

Again, i can see with one user 2 enforcement policies matched but from
looking at the logs its only take the radius attribute out of the first
match instead of all matches if that makes sense.

Have you looked at using the ClearPass Exchange integration instead? 

CPPM TechNote - 3rd Party Enforcement Points (CheckPoint) v1.3.pdf

https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=18814

yes, i've seen that. I haven't read all the way through it, but there are some pain points in that. First off that code hasn't really made it into a production release yet. You still have to have a speical build of at least the management program (smart console). I'm also not %100 sure on how the user info is coming down. The feature i'm trying to use is basically a auth portal on a firewall. Once you auth your src ip then gains access to extra security policies. Its important to note that its not a always on. We require the user to ask for access to a given firewall. 

 

I've already proven checkpoint can correctly parse multiple class attributes so really if i can just get clearpass to work with me it then radius is the way to go.

 

I should also point out i can't have the firewalls talk directly to ldap. If i could this wouldn't be a problem and i would just use ldap for group membership instead of radius. Of course that would also mean no clear pass sale as well. :)