Wireless Access

last person joined: 14 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

ClearPass enforcment profile problem

This thread has been viewed 1 times

  • 1.  ClearPass enforcment profile problem

    Posted Aug 23, 2014 12:31 PM

    On our staff computers we setup an enforcement policy that looks for them to machine authenticate and for the computer to belong to an AD group we created before assigning the staff role we created.  The problem is we have some computers that get the Machine Only enformement profile and are assigned the wrong role.  When I look in access tracker at the ones that work ClearPass is looking at the group the machine belongs too, on the ones that do not work its looking at user groups.  There are no differences in AD between the computers that are working and the ones that are not.



  • 2.  RE: ClearPass enforcment profile problem

    EMPLOYEE
    Posted Aug 23, 2014 12:36 PM
    On the ones that don't work, are you seeing both [User Authenticated] and [Machine Authenticated]?


  • 3.  RE: ClearPass enforcment profile problem

    Posted Aug 23, 2014 12:38 PM

    Yes



  • 4.  RE: ClearPass enforcment profile problem

    EMPLOYEE
    Posted Aug 23, 2014 12:42 PM
    You need to write a rule that checks User + Machine + Group and put it higher than your User only policies.


  • 5.  RE: ClearPass enforcment profile problem

    Posted Aug 23, 2014 12:59 PM

    Thanks.  That definitely has me on the right track.



  • 6.  RE: ClearPass enforcment profile problem

    EMPLOYEE
    Posted Aug 23, 2014 05:41 PM

     

     

    Greg,

     

    Unfortunately, when a USER is authenticating, the only role that is available with regards to the machine is the [MACHINE AUTHENTICATED] role.  You cannot leverage AD attributes like groups about the machine objects when the user is currently authenticating.  The AD groups that the machine is part of is only accessible WHEN the machine is authenticating, NOT when the user on that machine is authenticating.

     

    I hope that helps.

     



  • 7.  RE: ClearPass enforcment profile problem

    Posted Aug 24, 2014 10:53 AM

    As Colin mentioned it is not possible to carry over a role mapping of a machine authenticated once you do the user auth.

     

    What I suggest you do is the following :

    - Create two services 

    2014-08-24 10_42_47-ClearPass Policy Manager - Aruba Networks.png

     

    - In the machine authentication service define the following role mapping

    2014-08-24 10_20_30-ClearPass Policy Manager - Aruba Networks.png

     

    - Then create a two custom attributes that you will use to differentiate between the IT PC and Sales PC

    2014-08-24 10_47_10-ClearPass Policy Manager - Aruba Networks.png

     

    - Then create a Post Auth profile using those custom attributes

    2014-08-24 10_48_47-ClearPass Policy Manager - Aruba Networks.png

    - The post auth profiles then can be use to tag devices that are part of the SalesComputer or ITComputer AD group in the machine auth enforcement policy

    2014-08-24 10_21_13-ClearPass Policy Manager - Aruba Networks.png

     

    - Once these tags have been applied you can use these in the user wireless 802.1X service (For this to work Make sure you add the endpoint database as an authorization source)

    2014-08-24 10_39_21-ClearPass Policy Manager - Aruba Networks.png



  • 8.  RE: ClearPass enforcment profile problem

    EMPLOYEE
    Posted Aug 24, 2014 10:59 AM
    If you turn on cached roles, you can combine user, machine and user groups through a role map. I have this configured in multiple environments.


  • 9.  RE: ClearPass enforcment profile problem

    Posted Aug 25, 2014 10:18 AM

    Thanks for the replies, I feel like I have some options that will work now.