Wireless Access

last person joined: 2 days ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Dump/block wireless client?

This thread has been viewed 9 times

  • 1.  Dump/block wireless client?

    Posted Dec 04, 2019 12:53 PM

    Afternoon all!
    <I'm new to both Aruba wireless and Clearpass so apologies up front for the ignorance here...>

     

    I'm nearing completion of a new wireless/Clearpass deployment and I'm trying to figure out the best way to dump and blacklist a wireless device for an indefinite amount of time, regardless of which network/SSID it's currently connected to. Use case: Misbehaving or compromised device (or whatever other related reason where we might need to surgically, but immediately, dump and block a client).

     

    I naively just assumed that I could hop into the endpoint repository and blacklist it there. But that doesn't appear to be an option.

     

    Skimming both Clearpass and AOS 8.x docs and these forums, it seems I have a number of potential options I could use here. From temporarily blacklisting at the controller(s) (or MM?--not sure exactly how that works exactly--wasn't entirely clear in ver 8; no GUI option?), to potentially blacklisting at Clearpass, to moving the machine object into a designated AD group and building an enforcement profile around that, to building an external server profile and blacklisting through controller APIs (which seemed convoluted). Static host list? CoA? Or possibly other much more creative options.

     

    So I'm a bit flummoxed on what may be the 'best' way to accomplish my ends. Typically, dumping a client would normally be handled by our service desk personnel so, ideally, the method would be dead simple. Certainly not a hard requirement but, for example, they don't currently have access to the controller/MM CLI (and they haven't yet been trained on that gear) so I'd be leery of giving them such access at this point in time. They do have 'Help Desk' level access to ClearPass so I was hoping there was a way to handle it there with minimal fuss but nothing obvious is jumping out at me.

     

    Setup: 7205 controllers + (2) MM + Clearpass + AD
    (We also have Airwave FWIW but it's not been fully setup yet...)

     

    Has anyone had to solve this particular need? Many thanks in advance for the guidance!



  • 2.  RE: Dump/block wireless client?

    Posted Dec 04, 2019 03:18 PM

    There are multiple ways to do this.  This is my way using ClearPass that gives me easy to edit and view the list.  Assuming you have a naughty list you want to blacklist them indefinately:

    • Build a blacklist: in CPPM – Configuration – Identity – Static Host Lists: create a list of mac addresses and name it “Naughty List”1.JPG

    • Configure an authentication source:  CPPM – Configuration – Sources : add authentication sources type Static Host List and pick the “Naughty List” that you create in step 1.  Name this “Naughty List Sources” 1.JPG

    • Apply the “Naughty List Sources” to ALL SERVICES that you want to block. To do this:

      • Goto CPPM - Service – <Service name> - Authentication: add authentication sources “Naughty List Sources”

      • 1.JPG

      • Goto CPPM - Service – <Service name> - Enforcement: modify the policy to add a rule: authentication source equals “Naughty List Sources” and apply firewall profile DENYALL

      • 1.JPG

    if you want to add to blacklist any client later, just add it to “Naughty List”

    Hope this helps!



  • 3.  RE: Dump/block wireless client?

    Posted Dec 04, 2019 03:57 PM

    Thanks Trinh,
    I was mulling over something like what you're suggesting in my head but wouldn't I still have to get into both controllers and dump the client there first? That is, wouldn't a given connected client remain connected until an event happened that forced another authentication? If I were to add a device to the Static Hosts List while the client was already connected, there wouldn't be anything for Clearpass to act upon and deny, right (i.e., nothing to hit the relevant service/enforcement)?

     

    I'll lab it up and see how things react. Thanks a million!



  • 4.  RE: Dump/block wireless client?

    Posted Dec 04, 2019 04:07 PM

    To dump the client, locate client at the local controller (MD, because you can only delete user at the local controller where the client associate) and delete it using cli:

    (WC01) *#show user | include 34:e1:2d:xx:xx:xx
This operation can take a while depending on number of users. Please be patient ....
x.x.x.x   34:e1:2d:xx:x:xx  host/1234  STUDENT-ROLE           08:16:15    802.1x       AP       Wireless  
(WC01) *#aaa user delete mac 34:e1:2d:xx:xx:xx

     Watch CP Access Tracker to see this client re-authenticate.