What you show are just the service matching rules. These in principle do nothing for security, they just map the incoming request to the right service. For security you would create role-mapping/enforcement based on context information that you have in access tracker. That can be things like AD group membership, information in the client certificate, switch/switchport (for wired), device type (profiling), MDM status (personal/corporate device, compliant/non-compliant). Because you have a lot of freedom, it's hard to point you to a specific guide, but this is like the basic operation how ClearPass works. That is explained in the product training, or if you have a lot of time you could get the knowledge from the product guides as well but those are more suited if you have the basic understanding and need details on specific parts. You may check
the video series that I created to understand the concepts as well.
For the quick-win it may be better to discuss your setup with your Aruba Partner, Aruba local SE or Aruba Support to get this set up correctly. Big question in this is what additional security/checks you are looking for, and in my experience that works better in an interactive conversation than written in a forum because there are so many option.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Dec 13, 2022 04:55 PM
From: John ramos
Subject: Clear Pass Corp_User login LDAP
Hello, @Herman Robers
My clients have chosen to authorize EAP-TLS.
I set up the configuration today, and the connection went well.
I'm not sure if I have the ability to add extra security measures as I've only added airspace type-Id
Do you have any suggestions?
I have yet another inquiry because it is so difficult for me to understand all of the different service types. Do you have any advice or information for me?
I don't know if you can understand me, but as an example, I only know the attribute radius-airspace wan id it corresponds to id vlan in the controller. I would want to locate a guia that explains all of the type properties.
Original Message:
Sent: Nov 16, 2022 10:08 AM
From: Herman Robers
Subject: Clear Pass Corp_User login LDAP
PEAP Authentication will not work without domain join, or an LDAP server that exposes the user's password unencrypted or as NT-Hash. Active Directory does not store the unencrypted password and will not allow access to the NT-hash, but you can use the AD server to do the validation through the domain join.
I get that the customer want you to use the AD login, but I feel you should very strongly advise against that or even refuse to implement it like that because it is almost impossible to make it secure. Check this (old) video to make the problem clear, and this guidance from Microsoft that you should not use PEAP (or rather not MSCHAPv2) anymore and TLS instead.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Nov 15, 2022 12:16 PM
From: John ramos
Subject: Clear Pass Corp_User login LDAP
Thank you for responding.
Yes, I am aware that EAp-TLS is safer in this situation, however my client wants me to log in using AD.
I'll have to test it with my client tomorrow, but I'd want to share my settings with you today.
JOIN AD
Original Message:
Sent: Nov 14, 2022 02:10 PM
From: marcel koedijk
Subject: Clear Pass Corp_User login LDAP
Hi Athan,
You can configure LDAP under Configuration > Authentication > Sources.
When using username/password (EAP-PEAP MSCHAPv2) as authentication method your ClearPass must be AD Joined. Noted that this authentication method is pretty unsecure and can easily leak AD Credentials to the public, therefore login with AD username/password is not recommended.
When using certificate based (EAP-TLS) as authentication method your ClearPass not need to be AD Joined to lookup the Active Directory over LDAP (or better LDAP over TLS (port636)). This method is the most secure deployment and can be done at computer of user based certificates. You need to enroll the certifcates to your clients by using a MDM, Intune or GPO.
For both EAP-PEAP or EAP-TLS you need to configure RADIUS on the wlan controller and ClearPass to exchange the EAP messages.
------------------------------
Marcel Koedijk | MVP Expert 2022 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opinions are my own
Original Message:
Sent: Nov 13, 2022 04:49 PM
From: John ramos
Subject: Clear Pass Corp_User login LDAP
I am new to Arruba, my customer has asked me to set up an SSID user company. The client has a Cisco WLC and clear pass, and they want these users to log in using their LDAP credentials.
My configuration is attached. I want to know if it's accurate.
I can't access LDAP because it is managed by other individuals, therefore I imagine I would have to see if there is a corp user.
PICPICKSHAPE