Security

Hi, 

We are testing CPPM to be used in our wired network. I've been through the videos "Aruba ClearPass Workshop (2021)"by Herman Robers, there I learned how to create a service to authenticate wired computers that are joined to our domain, and allow them access if they are user or computer authenticated. 

Now for new computers that needs to be configured by our IT support staff, the computer will not be joined to domain, how to give them access to a specific VLAN (isolated) that has access to our AD (to join)? how to create a proper service for this?

Also, if a computer's access is rejected by a service, will the computer try to access by a later service? or the first reject will stop processing of other services?

I've tried going though CPPM docs, but the docs show how to configure different parts, like how to create an Enforcement Policy, but does not explain each part and what it does exactly and how to configure for different situations. Please point me to any documentation that explains CPPM in this sense. 

Please excuse my primitive questions. 

Thanks.

Make the default enforcement action one that assigns that build VLAN.
Original Message:
Sent: Jul 15, 2022 04:33 PM
From: Turki Alibrahim
Subject: Ser

Hi, 

We are testing CPPM to be used in our wired network. I've been through the videos "Aruba ClearPass Workshop (2021)"by Herman Robers, there I learned how to create a service to authenticate wired computers that are joined to our domain, and allow them access if they are user or computer authenticated. 

Now for new computers that needs to be configured by our IT support staff, the computer will not be joined to domain, how to give them access to a specific VLAN (isolated) that has access to our AD (to join)? how to create a proper service for this?

Also, if a computer's access is rejected by a service, will the computer try to access by a later service? or the first reject will stop processing of other services?

I've tried going though CPPM docs, but the docs show how to configure different parts, like how to create an Enforcement Policy, but does not explain each part and what it does exactly and how to configure for different situations. Please point me to any documentation that explains CPPM in this sense. 

Please excuse my primitive questions. 

Thanks.

Sounds logical, thanks.

Will try and post my findings.
Original Message:
Sent: Jul 19, 2022 09:33 AM
From: Unknown User
Subject: Ser

Make the default enforcement action one that assigns that build VLAN.
Original Message:
Sent: Jul 15, 2022 04:33 PM
From: Turki Alibrahim
Subject: Ser

Hi, 

We are testing CPPM to be used in our wired network. I've been through the videos "Aruba ClearPass Workshop (2021)"by Herman Robers, there I learned how to create a service to authenticate wired computers that are joined to our domain, and allow them access if they are user or computer authenticated. 

Now for new computers that needs to be configured by our IT support staff, the computer will not be joined to domain, how to give them access to a specific VLAN (isolated) that has access to our AD (to join)? how to create a proper service for this?

Also, if a computer's access is rejected by a service, will the computer try to access by a later service? or the first reject will stop processing of other services?

I've tried going though CPPM docs, but the docs show how to configure different parts, like how to create an Enforcement Policy, but does not explain each part and what it does exactly and how to configure for different situations. Please point me to any documentation that explains CPPM in this sense. 

Please excuse my primitive questions. 

Thanks.

Solution depends a bit on personal preference, current workflows and used switch equipment. You probably should find out in what state the computer gets (MAC authentication with profiling role, if you followed the guide; as the computer probably won't do 802.1X yet at that point); and in that role you could allow just enough access to AD/imaging/supporting servers to build/boot/initialized the PC and join to the domain. There is also on AOS-CX an option to configure a 'failed auth' role, which can be either the same profiling role with strict controlled access to AD or a role with access to that staging VLAN.

The computer does not trigger a service, the switch will. With both 802.1X and MAC Auth configured, connecting the computer can trigger both, or one of them, but the key is to design your policies and switch config such that your clients can be joined by the IT Staff. If joining is done in a specific staging room, you could consider configuring a few ports statically to the staging VLAN specifically for that room/purpose.

Like always with ClearPass, there are many ways to do things. It may be good to discuss with your Aruba Partner, local Aruba SE or Aruba Support which are the options with your setup/equipment, and what are the pros-cons of each option to get to the best in your situation.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Jul 15, 2022 04:33 PM
From: Turki Alibrahim
Subject: Ser

Hi, 

We are testing CPPM to be used in our wired network. I've been through the videos "Aruba ClearPass Workshop (2021)"by Herman Robers, there I learned how to create a service to authenticate wired computers that are joined to our domain, and allow them access if they are user or computer authenticated. 

Now for new computers that needs to be configured by our IT support staff, the computer will not be joined to domain, how to give them access to a specific VLAN (isolated) that has access to our AD (to join)? how to create a proper service for this?

Also, if a computer's access is rejected by a service, will the computer try to access by a later service? or the first reject will stop processing of other services?

I've tried going though CPPM docs, but the docs show how to configure different parts, like how to create an Enforcement Policy, but does not explain each part and what it does exactly and how to configure for different situations. Please point me to any documentation that explains CPPM in this sense. 

Please excuse my primitive questions. 

Thanks.

We have Cisco, and I'm sure we have an option there similar to 'failed auth' role in AOS-CX

Thanks for your explanation.



Original Message:
Sent: Jul 21, 2022 11:05 AM
From: Herman Robers
Subject: Ser

Solution depends a bit on personal preference, current workflows and used switch equipment. You probably should find out in what state the computer gets (MAC authentication with profiling role, if you followed the guide; as the computer probably won't do 802.1X yet at that point); and in that role you could allow just enough access to AD/imaging/supporting servers to build/boot/initialized the PC and join to the domain. There is also on AOS-CX an option to configure a 'failed auth' role, which can be either the same profiling role with strict controlled access to AD or a role with access to that staging VLAN.

The computer does not trigger a service, the switch will. With both 802.1X and MAC Auth configured, connecting the computer can trigger both, or one of them, but the key is to design your policies and switch config such that your clients can be joined by the IT Staff. If joining is done in a specific staging room, you could consider configuring a few ports statically to the staging VLAN specifically for that room/purpose.

Like always with ClearPass, there are many ways to do things. It may be good to discuss with your Aruba Partner, local Aruba SE or Aruba Support which are the options with your setup/equipment, and what are the pros-cons of each option to get to the best in your situation.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jul 15, 2022 04:33 PM
From: Turki Alibrahim
Subject: Ser

Hi, 

We are testing CPPM to be used in our wired network. I've been through the videos "Aruba ClearPass Workshop (2021)"by Herman Robers, there I learned how to create a service to authenticate wired computers that are joined to our domain, and allow them access if they are user or computer authenticated. 

Now for new computers that needs to be configured by our IT support staff, the computer will not be joined to domain, how to give them access to a specific VLAN (isolated) that has access to our AD (to join)? how to create a proper service for this?

Also, if a computer's access is rejected by a service, will the computer try to access by a later service? or the first reject will stop processing of other services?

I've tried going though CPPM docs, but the docs show how to configure different parts, like how to create an Enforcement Policy, but does not explain each part and what it does exactly and how to configure for different situations. Please point me to any documentation that explains CPPM in this sense. 

Please excuse my primitive questions. 

Thanks.

You do, its called Critical Auth VLAN using IBNS 2.0.  Or the fail-open commands in IBNS 1.0
Original Message:
Sent: Jul 26, 2022 11:41 AM
From: Turki Alibrahim
Subject: Ser

We have Cisco, and I'm sure we have an option there similar to 'failed auth' role in AOS-CX

Thanks for your explanation.



Original Message:
Sent: Jul 21, 2022 11:05 AM
From: Herman Robers
Subject: Ser

Solution depends a bit on personal preference, current workflows and used switch equipment. You probably should find out in what state the computer gets (MAC authentication with profiling role, if you followed the guide; as the computer probably won't do 802.1X yet at that point); and in that role you could allow just enough access to AD/imaging/supporting servers to build/boot/initialized the PC and join to the domain. There is also on AOS-CX an option to configure a 'failed auth' role, which can be either the same profiling role with strict controlled access to AD or a role with access to that staging VLAN.

The computer does not trigger a service, the switch will. With both 802.1X and MAC Auth configured, connecting the computer can trigger both, or one of them, but the key is to design your policies and switch config such that your clients can be joined by the IT Staff. If joining is done in a specific staging room, you could consider configuring a few ports statically to the staging VLAN specifically for that room/purpose.

Like always with ClearPass, there are many ways to do things. It may be good to discuss with your Aruba Partner, local Aruba SE or Aruba Support which are the options with your setup/equipment, and what are the pros-cons of each option to get to the best in your situation.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jul 15, 2022 04:33 PM
From: Turki Alibrahim
Subject: Ser

Hi, 

We are testing CPPM to be used in our wired network. I've been through the videos "Aruba ClearPass Workshop (2021)"by Herman Robers, there I learned how to create a service to authenticate wired computers that are joined to our domain, and allow them access if they are user or computer authenticated. 

Now for new computers that needs to be configured by our IT support staff, the computer will not be joined to domain, how to give them access to a specific VLAN (isolated) that has access to our AD (to join)? how to create a proper service for this?

Also, if a computer's access is rejected by a service, will the computer try to access by a later service? or the first reject will stop processing of other services?

I've tried going though CPPM docs, but the docs show how to configure different parts, like how to create an Enforcement Policy, but does not explain each part and what it does exactly and how to configure for different situations. Please point me to any documentation that explains CPPM in this sense. 

Please excuse my primitive questions. 

Thanks.