Security

Hello gurus,

I have the following setup which I want to implement.

I got Aruba controller 3600 with clearpass solution which i evaluate at the moment.

Scenario A: active directory user authentication without certificate

Scenario B: active directory user authentication + machine authentication.

Currently i got my CA server running, with certificates installed on the client side and clearpass side and its working fine. BUT...

i would like to add a role which says in case the user authenticates without certificate he will be able to just browse the internet. in case he has certificate he can access local resources. This is all done on a single SSID.

i tried to add under 802.1X Authentication Server Group my radius server with two diffrent roles.

1	Tunnel-Private-Group-Id	equals	WithCertificate	String	set role	authenticated	Yes
2	Tunnel-Private-Group-Id	equals	WithoutCertificate	String	set role	Internet_Only	Yes

Also in the clearpass radius i added the same options under service rule, but it doesn’t work.

So now because i got two different rules to authenticate users the policy will always go to the 1st match which will usually fail since as mentioned i got two different profiles, so now a user without certificate tries to authenticate he will be dropped since there is no connection policy for him.

So what do we do from here?

Thanks.

#3600

So you want to differentiate between Domain Machines and other devices?

 

no.

 

I want to be able to use one SSID with different types of users.

I.e.. Users what have a mobile device without certificate, which will use ad credentials and get only internet access without local resources  and regular laptop users which are members of the domain and have certificate, they will be able to access everything.

 

---

@idcnetworking wrote:

no.

 

I want to be able to use one SSID with different types of users.

I.e.. Users what have a mobile device without certificate, which will use ad credentials and get only internet access without local resources  and regular laptop users which are members of the domain and have certificate, they will be able to access everything.

 

---

Okay.

 

Are both groups of users being authenticated successfully right now (if not, we need to fix that before doing anything)?

 

At the moment,

I use one username from laptop with certificate and it works. i use the same username from my android device without certificate, only A.D authentication and it works.

But when I combine both rules in the clearpass it dosent work, as there is no way (that I have found) to distinguish the connection request therefore it will always match the 1st one which is with certificates. And then the no-certificate dosent work.

So each time I need to stop one of the services in the clearpass.

 

Okay.  Edit the service,  and under the Authentication Tab do  you have MsChapV2, EAP-PEAP and EAP-TLS as Authentication methods?

 

yes i do.

 

but isnt it smarter to seperate them, and send tunnel-group-id which can be Usercertificate and the other one NoCertificate or something like that?

 

No.  Keep them in the same service.  We will send a different Enforcement Profile that will send a different role, depending on whether it does EAP-TLS or not:

 

On the controller:

 

Make sure you have two roles set aside for your two different types of users.  You will not need any Server derivation rules in the server group, because we will send an Aruba VSA (Aruba-User-Role) with the name of the Role from CPPM and that will automatically put the user in that role.

 

On CPPM:

 

1- Go to Configuration> Enforcement> Profiles.

2- Click on Add Enforcement Profile

3- Select Aruba Enforcement Profile and Name the Profile after your first Aruba Role (for TLS/Certificate) users).  Click on Next and in the Attributes Tab, fill in the Value box with the name of the Aruba Role that you want to send back for Certificate (TLS) users.  Click on Save.

4- Select Aruba Enforcement Profile and Name the Profile after your Second Aruba Role (for PEAP/Username and password users).  Click on Next and in the Attributes Tab, fill in the Value box with the name of the second Aruba Role that you want to send back for PEAP users.  Click on Save.

5- Go to Configuration> Enforcement> Policies.  Click on Add Enforcement Policy.  Name the policy Encrypted-Users.  Click next and Under the Rules Tab click to add a rule that says :  "Authentication Outer Method Equals EAP-TLS".  Under the Enforcement Profile portion, select the Enforcement Profile you created in Step#3.  Click on Save.

6- Add Another Rule.  Click next and Under the Rules Tab click to add a rule that says :  "Authentication Outer Method Equals EAP-PEAP".  Under the Enforcement Profile portion, select the Enforcement Profile you created in Step#4.  Click on Save.

7-Go into Configuration> Services and Edit your Service.  Under the Enforcement Tab, Select the Enforcement Policy you created in Step#5.

 

try that and let us know if it works.

 

i will give it a try tommorow as now its a bit too late.

i will keep us posted.

thanks again !!!!

 

I have added everything.

I got one service which at the moment works with user and computer certificate and also only username \ pass from active directory.

How can I now separate them on the controller?

once the user with certificate will authenticate he will get full policy

once the user dosent preset certificate he will get a lighter policy.

Thanks.

 

What is not working?  The controller, unless you have termination enabled, merely packages what the client sends it an tunnels the request to the radius server.  The settings on the client and the radius server must match.

 

The big question is:  what piece is NOT working, so that we can work on that.  We at minimum need to get the basics working, which is authentication and work on authorization, second...

 

 

as sayd.

not working at the moment is giving diffrent access rules based on authentication.

i.e.

 

user A with cert can access everything

user A no cert can only get internet access

user B with cert can access everything

 

How can i send aruba-vsa without the server derivation?

On the controller:

 

Make sure you have two roles set aside for your two different types of users. You will not need any Server derivation rules in the server group, because we will send an Aruba VSA (Aruba-User-Role) with the name of the Role from CPPM and that will automatically put the user in that role.

The enforcement profile in CPPM responds with the Aruba-User-Role which is the VSA that sets the role.  Anytime that is present, the user will end up in that role.  Setting that parameter on the CPPM side allows you to set the user's role without role derivation rules.

i see, but still the classification is not in place at the moment.

how can i debug it?

thanks for ure time

Go to Monitoring> Live Monitoring> Access Tracker and Find the Success Authentication.  Double Click on it.  Click on the Alert Tab to see what was returned to the client.

 

there is no alert tab as the authentication is ok just the role mapping is not.

 

When you click into the message, the last tab on the right should tell you what attributes were sent back (under Radius).

there are 3 tabs summary input output

but thats all i got, either we are mising something or i dont understand

Radius:Aruba:Aruba-AP-Group IJ_Local_clearpass Radius:Aruba:Aruba-Essid-Name IJ_Certificate Radius:Aruba:Aruba-Location-Id ap-nl-idc-02 Radius:IETF:Called-Station-Id 000B866DEBA4 Radius:IETF:Calling-Station-Id 001F3C20F141 Radius:IETF:Framed-MTU 1100 Radius:IETF:NAS-Identifier idc1-wlc01 Radius:IETF:NAS-IP-Address 192.168.1.16 Radius:IETF:NAS-Port 0 Radius:IETF:NAS-Port-Type 19 Radius:IETF:Service-Type 1 Radius:IETF:User-Name host/spare003-wifi Radius:Microsoft:MS-MPPE-Recv-Key 0xb63c63e13c28ba84c2e473227c0a11cc0b8b34955256529d46c609c26ee8299a Radius:Microsoft:MS-MPPE-Send-Key 0x059bc07ab43589cd3716b1a806a3216a77bffc7e3f7cdfb1be95c507a4240e05

+Authorization Attributes

+Posture Request

+SNMP Request

-Computed Attributes

Authentication:ErrorCode 0 Authentication:Full-Username host/spare003-wifi Authentication:MacAuth NotApplicable Authentication:OuterMethod EAP-TLS Authentication:Phase1PAC None Authentication:Phase2PAC None Authentication:Posture Unknown Authentication:Status Machine Authentication:Username spare003-wifi-test$ Authorization:Sources Active_directory Certificate:Issuer-CN XXXXXX Certificate:Issuer-DC XXXXXX Certificate:Issuer-DN XXXXXX Certificate:Serial-Number 27:40:05:00:00:00:00:00:03:cd Certificate:Subject-AltName-DNS spare003-wifi-test. Certificate:Subject-CN spare003-wifi-test Certificate:Subject-DN CN=spare003-wifi Certificate:Version 3 Connection:Client-Mac-Address 001F3C20F141 Connection:Client-Mac-Address-Colon 00:1f:3c:20:f1:41 Connection:Client-Mac-Address-Dot 001f.3c20.f141 Connection:Client-Mac-Address-Hyphen 00-1f-3c-20-f1-41 Connection:Client-Mac-Address-NoDelim 001f3c20f141 Connection:Client-Mac-Vendor Intel Corporate Connection:Dest-IP-Address 10.3.3.205 Connection:Dest-Port 1812 Connection:NAD-IP-Address 192.168.1.16 Connection:Protocol RADIUS Connection:Src-IP-Address 192.168.1.16 Connection:Src-Port 32800 Host:FQDN spare003-wifi- Host:Name spare003-wifi

 

Output is the tab.  Expand radius under that.

Enforcement Profiles:	TLS_Certificate_users
System Posture Status:	UNKNOWN (100)
Audit Posture Status:	UNKNOWN (100)

Okay. The enforcement profile being sent back is TLS certificate users. That needs to be a type of Aruba radius enforcement and have the attribute Aruba-User-Role returning the role. It is also case sensitive.

i added it but still the same,

i dont understand something dont i need to setup something in the controller,

a user role?

how can the controller understand that the user is supposed to get diffrent policy if not stated

the other one is

Could you elaborate on the procedure to make it happen?

Thanks.

 

I elaborated on the procedure a few posts ago when I descibed what to do.

 

Aruba VSAs are radius attributes that when they are in use, set and override role derivation.  If a radius server responds with the Aruba VSA of aruba-user-role during authentication, the user will be placed into that role.  That is what we were trying to do.

 

From what I see the correct enforcement profile is being set, but somehow you do not have the Aruba-User-Role VSA set.  It should not be blank in the access tracker.  Please check your Enforcement Profile to ensure that the correct role name is configured and being sent.  That would eliminate you from having to write a server derivation rule, and server derivation rules on the Aruba controller are not specific enough to differentiate between EAP-TLS and EAP-PEAP.  That is why we want to detect these things on CPPM and then send back the role to the Aruba Controller during authentication.

 

If you haven't already, you can obtain the Documentation for Clear Pass Policy manager under http://support.arubentworks.com  and Click on Documentation.  That way I can point you to the pages in the manual for the references that I am making.

 

to which pages to do mean?

thanks.

 

See if you can download the user's manual here:  http://support.arubanetworks.com/DOCUMENTATION/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=7847

I got the user manual

which reference did u mean?

Thanks.

 

Chapter 15 is a chapter on Enforcement that shows you how to create and construct an Enforcement Profile.  What you want to do (and what we configured before) is an Aruba Enforcement profile which can be used to force the role of a device that is authenticated via Radius to the Aruba controller.  That way we can check for a few parameters via CPPM and force the role of a device based on that result.  That is done by pushing an Aruba VSA or Radius attribute which will match what role we want the device to end up in.  My instructions before showed how to do this, but the Enforcement Profile must be of the type "Aruba Radius Enforcement" and the "aruba-user-role" attribute must equal exactly what role you want the device to get.

 

yes, my TLS users are setup with aruba-user-role %{Authorization:AD_Authentication:HostName}

and my PEAP users are with %{Authorization:AD_Authentication:cn}

---

@shpapy wrote:

yes, my TLS users are setup with aruba-user-role %{Authorization:AD_Authentication:HostName}

and my PEAP users are with %{Authorization:AD_Authentication:cn}

---

Your Enforcement profile should look like this:

 

TLS users :  aruba-user-role - equals - <role on the controller that you want tls users to be in>

PEAP users:  aruba-user-role - equals - <role on the controller that you want PEAP users to be in>

 

 

You want to send back the name of a role, NOT a forumula.

well my problem was the formula

now i have adjusted accordigly.

Type	Name		Value
1.	Radius:Aruba	Aruba-User-Role	=	authenticated

	Type	Name		Value
1.	Radius:Aruba	Aruba-User-Role	=	Internet_Only

and this is the controller

 

now i need to figure why the policy isnot ok but thats a diffrent story :-)

thanks alot for the help!!!

also i can see the radius response now

RADIUS Response

 

1	Aruba-User-Role	equals	TLS_Certificate_users	String	set role	authenticated	Yes
2	Aruba-User-Role	equals	PEAP_Active_Directory_Auth	String	set role	Internet_Only	Yes

The role that you send back is case-sensitive, so it needs to match the case of the role that you have on the controller, exactly.

 

I am glad to hear that you got it to send something back!  When you are done, we will want others to learn from what you have configured.

let me know what i can share and i will.