Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation  Back up to About Overview 
ContentIndex
  
[+] Expand All
[-] Collapse All

No index entries found.

Example: Enforcing SRX Series Security Policies Using Aruba ClearPass as the Authentication Source

This example covers how to configure security to protect your resources and control access to the internet using the SRX Series device integrated ClearPass authentication and enforcement feature, which relies on the Aruba ClearPass Policy Manager as its authentication source. The SRX Series integrated ClearPass feature allows you to configure security policies that control access to company resources and the internet by identifying users by username, group name, or the name of a role that ties together a group of users and a device type.

Today’s network environments are more open to attacks of various kinds because they support anywhere, anytime, any device access, to a greater or lesser degree, and they allow a user to use multiple concurrently network-connected devices. Because it allows you identify the user by username, the integrated ClearPass authentication and enforcement feature narrows the security gap that these capabilities introduce.

For details on how user authentication and identity information is conveyed from the CPPM to the SRX Series device, see the following topics:

The example covers the following processes:

  • How to control access at the user level based on username or group name, not device IP address.

    You can use the source-identity parameter in a security policy to specify the name of a user or the name of a group of users whose authentication is provided by the CPPM. The policy is applied to traffic generated by the users when they attempt to access a protected resource or the Internet regardless of the device used. The access control is tied to the user’s name, and not directly to the IP address of the user’s device.

    Note: You can configure different security policies for a single user that specify different actions, differentiated by the zones and the destination addresses specified or a group that the user belongs to.

  • How to display and interpret the contents of the ClearPass authentication table.

    The SRX Series device creates the ClearPass authentication table to contain user authentication and identity information that it receives from the CPPM. The device refers to the table to authenticate a user who requests access to a resource.

    The ClearPass authentication table contents are dynamic. They are modified to reflect user activity in response to various events and also in regard to security policies that reference groups.

    For example, when a user logs out of the network or in to the network, the ClearPass authentication table is modified, as is the case when a user is removed from a group or a referenced security policy that specifies a group that the user belongs to is deleted. In the latter case, the user entry no longer shows the user as belonging to that group.

    In this example, the ClearPass authentication table contents are displayed to depict changes made because of two events. The content for the users is displayed:

    • Before and after a specific user logs out of the network
    • Before and after a referenced security policy is deleted

      The entry for the user who belonged to the group referenced by the security policy is displayed before and after the policy is deleted.

Requirements

This section defines the software and hardware requirements for the topology for this example. See Figure 5 for the topology design.

The hardware and software components are:

  • Aruba ClearPass. The ClearPass Policy Manager (CPPM) is configured to use its local authentication source to authenticate users.

    Note: It is assumed that the CPPM is configured to provide the SRX Series device with user authentication and identity information, including the username, a list of the names of any groups that the user belongs to, the IP addresses of the devices used, and the device posture token.

  • SRX Series device running Junos OS that includes the integrated ClearPass feature.

    See SRX Series Supported Platforms for the Integrated ClearPass Authentication and Enforcement Feature.

  • A server farm composed of six servers, all in the servers-zone:
    • marketing-server-protected (1.2.3.4)
    • human-resources-server (1.3.4.5)
    • accounting-server (1.4.5.6)
    • public-server (1.5.6.7)
    • corporate-server (1.6.7.8)
    • sales-server (1.7.8.9)
  • AC 7010 Aruba Cloud Services Controller running ArubaOS.
  • Aruba AP wireless access controller running ArubaOS.

    The Aruba AP is connected to the AC7010.

    Wireless users connect to the CPPM through the Aruba AP.

  • Juniper Networks EX4300 switch used as the wired 802.1 access device.

    Wired users connect to the CPPM using the EX4300 switch.

  • Six end-user systems:
    • Three wired network-connected PCs running Microsoft OS
    • Two BYOD devices that access the network through the Aruba AP access device
    • One wireless laptop running Microsoft OS

Overview

In its capacity as the authentication source for the integrated ClearPass feature, the CPPM posts to the SRX Series device user authentication and identity information. When it receives this information, the SRX Series UserID daemon processes it and generates entries for the authenticated users in the Routing Engine authentication table and then synchronizes that information to the ClearPass authentication table on the Packet Forwarding Engine side.

The SRX Series device requires the user authentication and identity information to verify that a user is authenticated when the user makes an access request and the traffic generated from the user’s device arrives at the SRX Series device. If a security policy exists that specifies in the source-identity parameter the username or the name of a group that the user belongs to, the SRX Series device searches the contents of its ClearPass authentication table for an entry for that user.

If it does not find an entry for the user in its ClearPass authentication table, the SRX Series device can search its other authentication tables, if you have configured a search order that includes them. See Example: Configuring the SRX Series Integrated ClearPass Feature to Allow the Device to Receive User Authentication Data from ClearPass for information about the authentication table search order.

The integrated ClearPass feature allows you to create identity-aware security policies configured to match traffic issued by users based on their username or the name of a group that they belong to.

Note: You configure role mappings on the CPPM, not on the SRX Series device.

For example, a device type role mapping might tie user identities to company-owned computers. You could specify this role as a group in a security policy configured to apply to all users who are mapped to the rule. In this case, the conditions set by CPPM for the rule—use of company-owned computer—would apply to all users mapped to the rule. The SRX Series device does not consider the conditions, but rather accepts the rule from the CPPM.

The following configurations included in this example cover security policies that are applicable based on the type of device used as defined by the CPPM through rule mappings. It is assumed that the CPPM posted to the SRX Series device the following mapped rules that are used as groups in security policies:

  • marketing-access-for-pcs-limited-group

    Maps jxchan to the device type PC.

    The policy that specifies marketing-access-for-pcs-limited-group in its source-identity field allows jxchan, and other users who are mapped to it, access to the marketing-server-protected server using their PC, whether it is company owned or not.

  • accounting-grp-and-company-device

    Maps users who belong to accounting groups using company devices. The CPPM sends the role accounting-grp-and-company-device to the SRX Series device. The mapping is done on the CPPM by role mapping rules.

    The policy that specifies accounting-grp-and-company-device in its source identity field allows users who are mapped to the rule to access protected resources on the accounting-server. The group accounting-grp is mapped to the rule. Therefore the mapped rule applies to the members of accounting-grp.

    The user viki2 belongs to accounting-grp. If all conditions apply—that is, if viki2 is using a company-owned device and the policy permits access—she is allowed access to the resources on accounting-server. But, recall that the SRX Series device does not analyze the rule. Rather it applies it to all users who are mapped to it by the CPPM.

  • guest-device-byod

    Maps the guest group to the device type byod—that is, any user-owned device brought to the network.

    The policy that specifies guest-device-byod in its source identity field denies users who are mapped to the rule access to all servers in the server zone if they are using smartphones or other user-owned devices. The username guest2 is mapped to this rule by the CPPM.

For all cases, if the users are allowed or denied access according to the security policy conditions, you can assume that the following conditions exist:

  • The CPPM posted the correct authentication information for the users and groups to the SRX Series device.
  • The SRX Series device processed the authenticated user information correctly and generated entries for the users and groups in its ClearPass authentication table.

Table 7 summarizes the users, their groups, and the zones to which they belong. All users belong to the default GLOBAL domain.

Table 7: Authenticated User Information for Security Policy Example

User

Group

Zone

Abe (abew1)

  • marketing-access-limited-grp

marketing-zone

John (jxchan)

  • posture-healthy
  • marketing-access-for-pcs-limited-group
  • marketing-general
  • sales-limited
  • corporate-limited

marketing-zone

Lin (lchen1)

  • posture-healthy
  • human-resources-grp
  • accounting-limited
  • corporate-limited

human-resources-zone

Viki (viki2)

  • posture-healthy
  • accounting-grp
  • accounting-grp-and-company-device
  • corporate-limited

accounting-zone

guest1

  • posture-healthy
  • guest

public-zone

guest2

  • posture-healthy
  • guest-device-byod

public-zone

Topology

Figure 6 shows the topology for this example.

Figure 6: Topology for the Integrated ClearPass Authentication Enforcement Through Security Policies Example

Topology for the Integrated ClearPass
Authentication Enforcement Through Security Policies Example

Configuration

This section covers how to configure the SRX Series device to include security policies that match traffic issued by users authenticated by the CPPM.

CLI Quick Configuration

To quickly configure this example, copy the following statements, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the statements into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

set interfaces ge-0/0/3 vlan-taggingset interfaces ge-0/0/3.0 vlan-id 300 family inet address 1.0.0.1/24set interfaces ge-0/0/3.1 vlan-id 310 family inet address 6.0.0.1/24set interfaces ge-0/0/3.2 vlan-id 320 family inet address 7.0.0.1/24set interfaces ge-0/0/4 vlan-taggingset interfaces ge-0/0/4.0 vlan-id 400 family inet address 5.0.0.3/24 set interfaces ge-0/0/4.1 vlan-id 410 family inet address 8.0.0.1/24set security zones security-zone marketing-zone interfaces ge-0/0/3.0 host-inbound-traffic system-services all set security zones security-zone marketing-zone interfaces ge-0/0/3.0 host-inbound-traffic protocols allset security zones security-zone accounting-zone interfaces ge-0/0/3.1 host-inbound-traffic system-services all set security zones security-zone accounting-zone interfaces ge-0/0/3.1 host-inbound-traffic protocols allset security zones security-zone human-resources-zone interfaces ge-0/0/3.2 host-inbound-traffic system-services all set security zones security-zone human-resources-zone interfaces ge-0/0/3.2 host-inbound-traffic protocols allset security zones security-zone public-zone interfaces ge-0/0/4.0 host-inbound-traffic system-services all set security zones security-zone public-zone interfaces ge-0/0/4.0 host-inbound-traffic protocols allset security zones security-zone servers-zone interfaces ge-0/0/4.1 host-inbound-traffic system-services all set security zones security-zone servers-zone interfaces ge-0/0/4.1 host-inbound-traffic protocols allset security address-book servers-zone-addresses address marketing-server-protected 1.2.3.4set security address-book servers-zone-addresses address human-resources-server 1.3.4.5set security address-book servers-zone-addresses address accounting-server 1.4.5.6set security address-book servers-zone-addresses address corporate-server 1.6.7.8set security address-book servers-zone-addresses address public-server 1.8.9.1set security address-book servers-zone-addresses attach zone servers-zoneset security policies from-zone marketing-zone to-zone servers-zone policy marketing-p1 match source-address any destination address anyset security policies from-zone marketing-zone to-zone servers-zone policy marketing-p1 match application anyset security policies from-zone marketing-zone to-zone servers-zone policy marketing-p1 match source-identity “global\marketing-access-for-pcs-limited-group”set security policies from-zone marketing-zone to-zone servers-zone policy marketing-p1 then permitset security policies from-zone marketing-zone to-zone servers-zone policy marketing-p2 match source-address any destination address marketing-zone-protected set security policies from-zone marketing-zone to-zone servers-zone policy marketing-p2 match application anyset security policies from-zone marketing-zone to-zone servers-zone policy marketing-p2 match source-identity “global\abew1”set security policies from-zone marketing-zone to-zone servers-zone policy marketing-p2 then permitset security policies from-zone accounting-zone to-zone servers-zone policy acct-cp-device match source-address any destination-address accounting-serverset security policies from-zone accounting-zone to-zone servers-zone policy acct-cp-device match application anyset security policies from-zone accounting-zone to-zone servers-zone policy acct-cp-device match source-identity “global\accounting-grp-and-company-device”set security policies from-zone accounting-zone to-zone servers-zone policy acct-cp-device then permitset security policies from-zone human-resources-zone to-zone servers-zone policy human-resources-p1 match source-address any destination-address corporate-serverset security policies from-zone human-resources-zone to-zone servers-zone policy human-resources-p1 match application anyset security policies from-zone human-resources-zone to-zone servers-zone policy human-resources-p1 match source-identity “global\corporate-limited”set security policies from-zone human-resources-zone to servers-zone policy human-resources-p1 then permitset security policies from-zone marketing-zone to-zone servers-zone policy marketing-p0 match source-address any destination-address corporate-serverset security policies from-zone marketing-zone to-zone servers-zone policy marketing-p0 match application anyset security policies from-zone marketing-zone to-zone servers-zone policy marketing-p0 match source-identity “global\marketing-access-limited-grp”set security policies from-zone marketing-zone to-zone servers-zone policy marketing-p0 then permitset security policies from-zone marketing-zone to-zone servers-zone policy marketing-p3 match source-address any destination-address human-resources-server set security policies from-zone marketing-zone to-zone servers-zone policy marketing-p3 match application anyset security policies from-zone marketing-zone to-zone servers-zone policy marketing-p3 match source-identity “global\sales-limited-group”set security policies from-zone marketing-zone to-zone servers-zone policy marketing-p3 then permitset security policies from-zone public-zone to-zone servers-zone policy guest-allow-access match source-address any destination address public-server set security policies from-zone public-zone to-zone servers-zone policy guest-allow-access match application anyset security policies from-zone public-zone to-zone servers-zone policy guest-allow-access match source-identity “global\guest”set security policies from-zone public-zone to-zone servers-zone policy guest-allow-access then permitset security policies from-zone public-zone to-zone servers-zone policy guest-deny-access match source-address any destination-address any set security policies from-zone public-zone to-zone servers-zone policy guest-deny-access match application anyset security policies from-zone public-zone to-zone servers-zone policy guest-deny-access match source-identity “global\guest-device-byod”set security policies from-zone public-zone to-zone servers-zone policy guest-deny-access then deny

Configuring Interfaces, Zones, and an Address Book

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instruction on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

Configure the following interfaces and assign them to zones:

  • ge-0/0/3.0 > marketing-zone
  • ge-0/0/3.1 > human-resources-zone
  • ge-0/0/3.2> accounting-zone
  • ge-0/0/4.0 > public-zone
  • ge-0/0/4.1 > servers-zone

Because this example uses logical interfaces, you must configure VLAN tagging.

  1. Configure interfaces for the SRX Series device:
    [edit interfaces]set ge-0/0/3 vlan-taggingset ge-0/0/3.0 vlan-id 300 family inet address 1.0.0.1/24set ge-0/0/3.1 vlan-id 310 family inet address 6.0.0.1/24set ge-0/0/3.2 vlan-id 320 family inet address 7.0.0.1/24set ge-0/0/4 vlan-taggingset ge-0/0/4.0 vlan-id 400 family inet address 5.0.0.3/24 set ge-0/0/4.1 vlan-id 410 family inet address 8.0.0.1/24
  2. Configure zones.
    [edit security zones]user@host#set security-zone marketing-zone interfaces ge-0/0/3.0 host-inbound-traffic system-services all user@host#set security-zone marketing-zone interfaces ge-0/0/3.0 host-inbound-traffic protocols alluser@host#set security-zone accounting-zone interfaces ge-0/0/3.1 host-inbound-traffic system-services all user@host#set security-zone accounting-zone interfaces ge-0/0/3.1 host-inbound-traffic protocols alluser@host#set security-zone human-resources-zone interfaces ge-0/0/3.2 host-inbound-traffic system-services all user@host#set security-zone human-resources-zone interfaces ge-0/0/3.2 host-inbound-traffic protocols alluser@host#set security-zone public-zone interfaces ge-0/0/4.0 host-inbound-traffic system-services all user@host#set security-zone public-zone interfaces ge-0/0/4.0 host-inbound-traffic protocols alluser@host#set security-zone servers-zone interfaces ge-0/0/4.1 host-inbound-traffic system-services all user@host#set security-zone servers-zone interfaces ge-0/0/4.1 host-inbound-traffic protocols all
  3. Configure an address book containing the IP addresses of the servers to use as destination addresses in security policies.
    [edit security address-book servers-zone-addresses]user@host# set address marketing-server-protected 1.2.3.4user@host# set address human-resources-server 1.3.4.5user@host# set address accounting-server 1.4.5.6user@host# set address corporate-server 1.6.7.8user@host# set address public-server 1.8.9.1
  4. Attach the servers-zone-addresses address book to servers-zone.
    [edit security address-book]user@host# set servers-zone-addresses attach zone servers-zone

Results

From configuration mode, confirm your configuration for interfaces by entering the show interfaces command. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

I
ge-0/0/3 {unit 0 {vlan-id 300;family inet {address 1.0.0.1/24;}}unit 1 {vlan-id 310;family inet {address 6.0.0.1/24;}}unit 2 {vlan-id 320;family inet {address 7.0.0.1/24;}}}
ge-0/0/4 {vlan-tagging;unit 0 {vlan-id 400;family inet {address 5.0.0.3/24;}}unit 1 {vlan-id 410;family inet {address 8.0.0.1/24;}}}

From configuration mode, confirm your configuration for zones by entering the show security zones command. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

security-zone human-resources-zone {interfaces {ge-0/0/3.2 {host-inbound-traffic {system-services {all;}protocols {all;}}}}}
security-zone accounting-zone {interfaces {ge-0/0/3.1 {host-inbound-traffic {system-services {all;}protocols {all;}}}}}
security-zone marketing-zone {interfaces {ge-0/0/3.0 {host-inbound-traffic {system-services {all;}protocols {all;}}}}}
security-zone servers-zone {interfaces {ge-0/0/4.1 {host-inbound-traffic {system-services {all;}protocols {all;}}}}}
security-zone public-zone {interfaces {ge-0/0/4.0 {host-inbound-traffic {system-services {all;}protocols {all;}}}}}

From configuration mode, confirm your configuration for the address book by entering the show security address-book command. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

servers-zone-addresses {address marketing-zone-protected 1.2.3.4/32;address human-resources-server 1.3.4.5/32;address accounting-server 1.4.5.6/32;address corporate-server 1.6.7.8/32;address public-server 1.8.9.1/32;attach {zone servers-zone;}}

Configuring Identity-Aware Security Policies to Control User Access to Company Resources

Step-by-Step Procedure

This task entails configuring security policies that apply to a user’s access to resources based on username or group name, and not the IP address of the device used.

Note that all users belong to the default GLOBAL domain.

  1. Configure a security policy that specifies marketing-access-for-pcs-limited-group as the source-identity. It allows the user jxchan, who belongs to this group, access to any of the servers in the servers-zones when he is using a PC, whether it is a personal device or a company-owned device. The username jxchan is mapped by the CPPM to the rule marketing-access-for-pcs-limited-group.
    [edit security policies]user@host# set from-zone marketing-zone to-zone servers-zone policy marketing-p1 match source-address any destination address anyuser@host# set from-zone marketing-zone to-zone servers-zone policy marketing-p1 match application anyuser@host# set from-zone marketing-zone to-zone servers-zone policy marketing-p1 match source-identity “global\marketing-access-for-pcs-limited-group”user@hoset from-zone marketing-zone to-zone servers-zone policy marketing-p1 then permit
  2. Configure a security policy that allows the user abew1 access to the marketing-zone-protected server (IP address 1.2.3.4) in the servers-zone regardless of the device that he uses.
    [edit security policies]user@host# set from-zone marketing-zone to-zone servers-zone policy marketing-p2 match source-address any destination address marketing-zone-protected user@host# set from-zone marketing-zone to-zone servers-zone policy marketing-p2 match application anyuser@host# set from-zone marketing-zone to-zone servers-zone policy marketing-p2 match source-identity “global\abew1”user@host# set from-zone marketing-zone to-zone servers-zone policy marketing-p2 then permit
  3. Configure a security policy that allows the user viki2 access to the accounting-server (IP address 1.4.5.6) in the servers-zone when she is using a company-owned device. The user viki2 belongs to accounting-grp which is mapped to the company-owned-device rule (accounting-grp-and-company-device) by the CPPM.
    [edit security policies]user@host# set from-zone accounting-zone to-zone servers-zone policy acct-cp-device match source-address any destination-address accounting-serveruser@host# set from-zone accounting-zone to-zone servers-zone policy acct-cp-device match application anyuser@host# set from-zone accounting-zone to-zone servers-zone policy acct-cp-device match source-identity “global\accounting-grp-and-company-device”user@host# set from-zone accounting-zone to-zone servers-zone policy acct-cp-device then permit
  4. Configure a security policy that allows users who belong to the corporate-limited group limited access to the corporate-server server (IP address 1.6.7.8) in the servers-zone when they are initiating a request from the human-resources zone.

    If the source-address were specified as “any”, the policy would apply to other users who also belong to the corporate-limited group.

    [edit security policies]user@host# set from-zone human-resources-zone to-zone servers-zone policy human-resources-p1 match source-address any destination-address corporate-serveruser@host# set from-zone human-resources-zone to-zone servers-zone policy human-resources-p1 match application anyuser@host# set from-zone human-resources-zone to-zone servers-zone policy human-resources-p1 match source-identity “global\corporate-limited”user@host# set from-zone human-resources-zone to servers-zone policy human-resources-p1 then permit
  5. Configure a security policy that allows the user abew1 access to the corporate-server (IP address 1.6.7.8) server in the servers-zone. The user abew1 belongs to marketing-access-limited-grp to which the security policy applies.
    [edit security policies]user@host# set from-zone marketing-zone to-zone servers-zone policy marketing-p0 match source-address any destination-address corporate-serveruser@host# set from-zone marketing-zone to-zone servers-zone policy marketing-p0 match application anyuser@host# set from-zone marketing-zone to-zone servers-zone policy marketing-p0 match source-identity “global\marketing-access-limited-grp”user@host# set from-zone marketing-zone to-zone servers-zone policy marketing-p0 then permit
  6. Configure a security policy that allows users who belong to the sales-limited-group access to the human-resources-server (IP address 1.7.8.9) server when they initiate a request from the marketing-zone. The user jxchan belongs to sales-limited-group.
    [edit security policies]user@host# set from-zone marketing-zone to-zone servers-zone policy marketing-p3 match source-address any destination-address human-resources-server user@host# set from-zone marketing-zone to-zone servers-zone policy marketing-p3 match application anyuser@host# set from-zone marketing-zone to-zone servers-zone policy marketing-p3 match source-identity “global\sales-limited-group”user@host# set from-zone marketing-zone to-zone servers-zone policy marketing-p3 then permit
  7. Configure a security policy that allows users who belong to the guest group access to the public-server (IP address 1.8.9.1) in the servers-zone.
    [edit security policies]user@host# set from-zone public-zone to-zone servers-zone policy guest-allow-access match source-address any destination address public-server user@host# set from-zone public-zone to-zone servers-zone policy guest-allow-access match application anyuser@host# set from-zone public-zone to-zone servers-zone policy guest-allow-access match source-identity “global\guest”user@host# set from-zone public-zone to-zone servers-zone policy guest-allow-access then permit
  8. Configure a security policy that denies users who belong to the guest-device-byod group access to any servers in the servers-zone when they use their own devices.
    [edit security policies]user@host# set from-zone public-zone to-zone servers-zone policy guest-deny-access match source-address any destination-address any user@host# set from-zone public-zone to-zone servers-zone policy guest-deny-access match application anyuser@host# user@host# set from-zone public-zone to-zone servers-zone policy guest-deny-access match source-identity “global\guest-device-byod”user@host# set from-zone public-zone to-zone servers-zone policy guest-deny-access then deny

Results

From configuration mode, confirm your security policies configuration for integrated ClearPass by entering the show security policies command.

If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

from-zone marketing-zone to-zone servers-zone {policy marketing-p1 {match {source-address any;destination-address any;application any;source-identity "global\marketing-access-for-pcs-limited-group";}then {permit;}}policy marketing-p2 {match {source-address any;destination-address marketing-zone-protected;application any;source-identity "global\abew1";}then {permit;}}policy marketing-p0 {match {source-address any;destination-address corporate-server;application any;source-identity "global\marketing-access-limited-grp";}then {permit;}}policy marketing-p3 {match {source-address any;destination-address human-resources-server;application any;source-identity "global\sales-limited-group";}then {permit;}}}
from-zone accounting-zone to-zone servers-zone {policy acct-cp-device {match {source-address any;destination-address accounting-server;application any;source-identity "global\accounting-grp-and-company-device";}then {permit;}}}
from-zone human-resources-zone to-zone servers-zone {policy human-resources-p1 {match {source-address any;destination-address corporate-server;application any;source-identity "global\corporate-limited";}then {permit;}}}
from-zone public-zone to-zone servers-zone {policy guest-allow-access {match {source-address any;destination-address public-server;application any;source-identity “global\guest”;}then {permit;}}policy guest-deny-access {match {source-address any;destination-address any;application any;source-identity “global\guest-device-byod”;}then {deny;}}}

Verification

This section verifies the ClearPass authentication table contents after certain events occur that cause some of its user authentication entries to be modified. It also shows how to ensure that the ClearPass authentication table has been deleted successfully after you issue the delete command. It includes the following parts:

Displaying the ClearPass Authentication Table Contents Before and After an Authenticated User Logs Out of the Network

Purpose

Display the ClearPass authentication table contents when a specific, authenticated user is logged in to the network and after the user logs out.

Action

Enter the show services user-identification authentication-table authentication-source authentication-source command for the ClearPass authentication table, which is referred to as aruba-clearpass. Notice that the ClearPass authentication table includes an entry for the user viki2.

show services user-identification authentication-table authentication-source aruba-clearpass
Domain: GLOBAL
Total entries: 6
Source IP       Username       groups(Ref by policy)          state
10.0.0.1        viki2          accounting-grp-and-company-dev Valid
20.0.0.1        abew1          marketing-access-limited-grp   Valid
30.0.0.1        jxchan         marketing-access-for-pcs-limit Valid
40.0.0.1        lchen1         corporate-limited              Valid
50.0.0.1        guest1                                        Valid
50.0.0.2        guest2                                        Valid

Enter the same command again after viki2 logs out of the network. Notice that the ClearPass authentication table no longer contains an entry for viki2.

Domain: GLOBAL
Total entries: 6
Source IP       Username       groups(Ref by policy)          state
20.0.0.1        abew1          marketing-access-limited-grp   Valid
30.0.0.1        jxchan         marketing-access-for-pcs-limit Valid
40.0.0.1        lchen1         corporate-limited              Valid
50.0.0.1        guest1                                        Valid
50.0.0.2        guest2                                        Valid

Displaying the Authentication Table Contents Before and After a Referenced Security Policy Is Deleted

Purpose

Display the ClearPass authentication table contents for a specific user—lchen1—who belongs to a group that is referenced by a security policy. Delete that security policy, then display the entry for that user again.

Action

Enter the show service user-identification authentication-table authentication-source user user-name command to display the ClearPass authentication table entry for a specific user, lchen1. Notice that it includes the group corporate-limited.

show service user-identification authentication-table authentication-source user lchen1
Domain: GLOBAL
Source IP       Username       groups(Ref by policy)          state
40.0.0.1        lchen1         corporate-limited              Valid

The human-resources-p1 security policy source-identity field refers to the group corporate-limited. As shown above in theClearPassauthentication entry for him, the user lchen1 belongs to that group. Here is the configuration for the human-resources-p1 referenced security policy:

from-zone human-resources-zone to-zone servers-zone {
    policy human-resources-p1 {
        match {
            source-address any;
            destination-address corporate-server;
            application any;
            source-identity "global\corporate-limited";
        }
        then {
            permit;
        }
    }
}

After you delete the human-resources-p1 security policy, whose source-identity parameter refers to the group called corporate-limited, enter the same command again. Notice that the authentication entry for lchen1 does not contain the corporate-limited group.

show service user-identification authentication-table authentication-source aruba-clearpass user lchen1
Domain: GLOBAL
Source IP       Username       groups(Ref by policy)          state
40.0.0.1        lchen1                                        Valid

Take a different approach in verifying the ClearPass authentication table state after the modification. Display the entire table to verify that the group—corporate-limited—is not included in any of the user entries. Note that if more than one user belonged to the corporate-limited group, authentication entries for all of the affected users would not show that group name.

From operational mode, enter the show services user-identification authentication-table authentication-source aruba-clearpass command.

show services user-identification authentication-table authentication-source aruba-clearpass
Domain: GLOBAL
Total entries: 6
Source IP       Username       groups(Ref by policy)          state
10.0.0.1        viki2          accounting-grp-and-company-dev Valid
20.0.0.1        abew1          marketing-access-limited-grp   Valid
30.0.0.1        jxchan         marketing-access-for-pcs-limit Valid
40.0.0.1        lchen1                                        Valid
50.0.0.1        guest1                                        Valid
50.0.0.2        guest2                                        Valid

Related Documentation

Modified: 2016-05-01