ClearPass – Custom Guest MAC Auth Expiry

Another ClearPass post for you lovely, lovely readers.

Aruba ClearPass Network Access Manager - Body

Setting the scene

Imagine if you will that a customer has an “open” guest SSID and wanted to authenticate all guest accounts via a ClearPass captive portal using the same static guest user. They also didn’t want the guest to have to log back in for 12 hours following the initial captive portal authentication.

Gotcha gotcha

Sounds pretty simple right? Well, it is very simple but there’s a gotcha in there that you should be aware of. You’ll have to read my ramblings or skip to near the end to find out.

Config

To achieve what the customer wanted I did the following:

  • Created a guest user with no expiry
  • Created a guest user auth with MAC caching service with corresponding enforcement
  • Created a guest user MAC auth service with corresponding enforcement
  • Created a guest login page
  • Configured the SSID, AAA & roles on the controller

I used the wizard to create the services (I’ll probably get some stick for that). So, you can use the ClearPass service wizard to create service to auth guest and cache their MAC address. guest222

When you do this it’ll create quite a few enforcement policies that you probably don’t need so remember to delete them or remove them from your enforcement profiles.

The wizard create a enforcement profile which sets the MAC auth expiry time to 1 day. That means after a guest logs into the captive portal, they can disconnect and reconnect to the guest SSID and gain network access without logging back into the captive portal for 24 hours.

ClearPass does this by keeping a record of the device that the guest user logged in from in the endpoint repository. Along with the endpoint device, ClearPass writes an attribute call “MAC-Auth Expiry” and populates it with a value which is 24 hours from date the guest user authenticated. Note the format of the date and time in the image of the endpoint attributes below.

endpoint

OK, so all we need to do now is change the expiry to 12 hours.

Custom Time Config

ClearPass has a time source SQL database. By default the following time attributes are available.

  • current time
  • 2 hours time
  • 1 days time
  • 1 weeks time
  • 1 months time
  • 6 months time

I just used the “2 hours time” attribute as a template and created a “12 hours time” attribute as in the image below.

time222.jpg

Next I updated my enforcement profile which sets the MAC-Auth Expiry to reference this new time attribute.

timer

Awesome! Whoa there cowboy. Don’t celebrate prematurely. After making this change guests could MAC auth after authenticating via the captive portal days after the initial auth. Clearly the MAC Auth Expiry wasn’t working.

Troubleshooting

There were no errors anywhere. The times on all network devices were synced from the same NTP servers and were definitely not out of sync.

I double checked my custom time attribute and noticed there there were duplicates of the same time values but with different names. Probably should have noticed that when I was adding my custom attribute.

times2

A little more digging around and I discovered one time format was in EPOCH and the other in Date/Time. Now we’re getting somewhere. The 12 Hours custom time attribute I created was a integer EPOCH time format.

My Guest MAC Auth service was checking the current time (Now DT) in date/time format to see if it was less than the endpoint device MAC-Auth Expiry which I’d specified in EPOCH format… and current time was always coming out less.

I check the time source and noticed 2 current time attributes:

  • Now
  • Now DT

Now is in EPOCH format and Now DT in date/time format.

I changed my Guest MAC Auth service role mapping policy from referencing Now DT to Now.

now

Now we’ve got both the time source and the MAC-Auth Expiry in EPOCH format and testing showed that the solution now worked.

Improvements

Happy to hear if there are other ways to implement this.

FYI I know that using a static guest account isn’t ideal but this was a customer requirement.

ClearPass – Sending TACACS+ Audit log to Syslog Server

ClearPass – TACACS+ Audit logs

So you’ve got ClearPass and have wisely decided to utilise it to secure and monitor your switching infrastructure. You’ve setup TACACS+ on the switches & configured a service on ClearPass (possibly following the awesome guide on the Aruba Solution Exchange). If you’re having problems setting it up head over to the Airheads community and you’ll get some great help over there.

Just a second, if you’re not aware of the Aruba Solution Exchange (ASE) you should really check it out. In fact go there now. Come back when you’ve had a good browse of what’s on offer. Ok, back now?

Right, back on track. TACACS authentication and accounting is now setup and working. You should see the authentication requests in the access tracker and when clicking on the Authorizations tab you’ll see the commands as in the image below:

Authorizations

Now, if you select the accounting record that associated with these requests and go to the Details tab you’ll see the commands again but with a few more details including the privilege level. See below:

Details

If you have your own syslog server and you want (or need) to export these audit trail details you need to head down to the “Syslog Export Filters” under Administration / External Servers. You can manually setup some filters using the pre-defined options and dropdown lists or create custom SQL queries to decide what gets sent to your syslog server.

I couldn’t find exactly what I needed from the pre-defined options.

I wanted to export the following:

  • Device changes are being made on
  • User making the changes
  • Commands being run
  • Where the user logged in from
  • Timestamp

I could see the details I wanted to export but they were in a couple of different tables. Turns out it’s fairly trivial to generate a query which searches a couple of tables..

Here’s the resulting SQL query:

SELECT tips_tacacs_accounting_records.nas_ip,tips_tacacs_accounting_records.user_name,tips_tacacs_accounting_records.remote_address,tips_tacacs_accounting_details.attr_value,tips_tacacs_accounting_details.timestamp FROM tips_tacacs_accounting_details 
JOIN tips_tacacs_accounting_records on tips_tacacs_accounting_details.session_id=tips_tacacs_accounting_records.id 
WHERE ((tips_tacacs_accounting_details.timestamp >= --START-TIME--) 
AND (tips_tacacs_accounting_details.timestamp <= --END-TIME--))
AND (tips_tacacs_accounting_details.attr_name = 'cmd');

You can download a copy of the ClearPass Export Filter from here. You could import it into your ClearPass server(s) and modify the syslog target if you wished. The SQL query is also available here.

Disclaimer

I’m by no means a DBA and only provide the information in this blog as a reference. I accept no responsibility if you decide to copy anything off this blog an use it any way. Also I wouldn’t be surprised if there were a more elegant way to achieve this so please post in the comments if you know one.

Using RADIUS to secure your switches

Maybe you’re thinking of securing your switches with RADIUS? Whilst you can certainly authenticate admin users using RADIUS you cannot “log the commands used. It will only log the start, stop, and interim records of that session. This means that if there are two or more administrators logged at any one time, there is no way of telling which administrator entered which commands.”. Plus TACACS+ has been designed for this purpose, RADIUS however has not. More TACACS+ reading.

Links/References

Aruba Airheads Community
Aruba Solution Exchange
ASE Splunk Syslog Export
ASE CPPM / Cisco TACACS+ Setup
The Advantages of TACACS+ for Administrator Authentication