Security

Hello,

I’m helping a customer to switch from EAP-PEAP to EAP-TLS using certificates. We have agreed on using machine certificates for the purpose of authenticating to the network. Next, they want to be able to steer clients together with username/pw credentials to end up on certain VLAN/Segments, based on their group membership.

The customer has several different types of OS (Win, Mac, Linux and Chrome OS), believe that is interesting info.

So here´s the way I want to do it:

• Machine authentication using machine certificate
• When user logs on, either through MS AD or similar, Clearpass will know about this and can push out the right VLAN based on group membership.

Is this possible? Can Clearpass, like Cisco ISE and their passive identity feature, get info about what user that is logged in and make policy rules act on that. There could be situations where one client has different users.

If not, why?

If yes, could someone please explain how to do it? Will there be any known caveats to this kind of solution or is it well known and widely used today?

Thank you.

It is absolutely possible, when you authenticate a user (EAP-PEAP or EAP-TLS), you can check the access tracker to discover all AD attributes of that client, including group membership. you can use those attributes in your enforcement policies to apply different profiles to each user.

Please be aware that when you start in vlan A on machine auth, and after user auth the vlan is swapped to VLAN B, this can cause problems because the client will request a new ip adress. This can cause disruptions during log on.

A better way is to work with roles, assign a role with certain acl's on machine auth, and assign a new role on user auth, this role is placed in the same vlan, but with other ACL's. This way the machine stays in the same L2 network, and you only change the role/policies for that user.

If you do not want to work with roles on the switch you could use downloadable ACL's for normal radius authentication, but i advise to work around the vlan swapping during login.

for details about configuring this, check out this guide:

https://community.arubanetworks.com/t5/Security/ClearPass-Solution-Guide-Wired-Policy-Enforcement/td-p/298161

This is not possible due to the lack of support for mixed EAP methods in client operating systems.

My thought is only to use one method and that is machine auth only. Then on top of that, a regular domain login. My question is on that domain login, if Clearpass has a method of seeing that login and perform policies onto that. Is Clearpass somehow tracking logins?

No, you'd have to run something like OnGuard in auth only mode but changing VLANs on the fly is not really feasible.