Understanding the Integrated ClearPass Authentication and Enforcement User Query Function on NFX Devices
This topic focuses on how you can obtain user authentication and identity information for an individual user when that information is not posted directly to the NFX Series device by the ClearPass Policy Manager (CPPM).
The integrated ClearPass authentication and enforcement feature allows the NFX Series device and Aruba ClearPass to control access to protected resources and the Internet from wireless and wired devices. For this to occur, ClearPass sends user authentication and identity information to the NFX Series device. The NFX Series device stores the information in its ClearPass authentication table. To send this information, usually the CPPM uses the Web API (webapi) services implementation, which allows it to make HTTP or HTTPS POST requests to the NFX Series device.
It can happen that the CPPM does not send user authentication information for a user, for various reasons. When traffic from that user arrives at the NFX Series device, the device cannot authenticate the user. If you configure the NFX Series device to enable the user query function, it can query the ClearPass webserver for authentication information for an individual user. The NFX Series device bases the query on the IP address of the user’s device, which it obtains from the user’s access request traffic.
If the user query function is configured, the query process is triggered automatically when the NFX Series device does not find an entry for the user in its ClearPass authentication table when it receives traffic from that user requesting access to a resource or the Internet. The NFX Series device does not search its other authentication tables. Rather, it sends a query to the CPPM requesting authentication information for the user. Figure 1 depicts the user query process. In this example:
A user attempts to access a resource. The NFX Series device receives the traffic requesting access. The NFX Series device searches for an entry for the user in its ClearPass authentication table, but none is found.
The NFX Series device requests authentication for the user from the CPPM.
The CPPM authenticates the user and returns the user authentication and identity information to the NFX Series device.
The NFX Series device creates an entry for the user in its ClearPass authentication table, and grants the user access to the Internet.
You can control when the NFX Series device sends its requests automatically by configuring the following two mechanisms:
The delay-query-time parameter
To determine the value to set for the delay-query-time parameter, it helps to understand the events and duration involved in how user identity information is transferred to the NFX Series device from ClearPass, and how the delay-query-time parameter influences the query process.
A delay is incurred from when the CPPM initially posts user identity information to the NFX Series device using the Web API to when the NFX Series device can update its local ClearPass authentication table with that information. The user identity information must first pass through the ClearPass device’s control plane and the control plane of the NFX Series device. In other words, this process can delay when the NFX Series device can enter the user identity information in its ClearPass authentication table.
While this process is taking place, traffic might arrive at the NFX Series device that is generated by an access request from a user whose authentication and identity information is in transit from ClearPass to the NFX Series device.
Rather than allow the NFX Series device to respond automatically by sending a user query immediately, you can set a delay-query-time parameter, specified in seconds, that allows the NFX Series device to wait for a period of time before sending the query.
After the delay timeout expires, the NFX Series device sends the query to the CPPM and creates a pending entry in the Routing Engine authentication table. During this period, the traffic matches the default policy and is dropped or allowed, depending on the policy configuration.
Note If there are many query requests in the queue, the NFX Series device can maintain multiple concurrent connections to ClearPass to increase throughput. However, to ensure that ClearPass is not stressed by these connections, the number of concurrent connections is constrained to no more than 20 (<=20). You cannot change this value.
A default policy, which is applied to a packet if the NFX Series device does not find an entry for the user associated with the traffic in its ClearPass authentication table.
The system default policy is configured to drop packets. You can override this action by configuring a policy that specifies a different action to apply to this traffic.
Table 1 shows the effect on the user query function in regard to whether or not Active Directory is enabled.
Table 1: Relationship Between User Query Function and Active Directory Authentication as Processed by the CLI
Active Directory Is Configured | ClearPass User Query Function Is Enabled | CLI Check Result |
|---|---|---|
No | No | Pass |
No | Yes | Pass |
Yes | No | Pass |
Yes | Yes | Fail |
To avoid the failure condition reflected in the bottom row of the table, you must disable either Active Directory or the user query function. If both are configured, the system displays the following error message:
The priority of CP auth source is higher than AD auth source, and the CP user-query will shadow all AD features. Therefore, please choose either disabling CP user-query or not configuring AD.
In its response to the user query request, the ClearPass web server returns information for the user’s device whose IP address was specified in the request. This response includes a time stamp, which is expressed in UTC (Coordinated Universal Time) as defined by ISO 8601.
Here are some examples:
2016-12-30T09:30:10.678123Z
2016-12-30T09:30:10Z
2016-06-06T00:31:52-07:00
Table 2 shows the components that comprise a timestamp format.
Table 2: Time Stamp Components as Defined by ISO 8601
Format Component | Meaning |
|---|---|
YYYY | two-digit month |
DD | two-digit day of month |
hh | two-digits of hour (00 through 23) |
mm | two-digits of minute |
ss | two-digits of second |
s | one or more digits representing a decimal fraction of a second |
TZD | time zone designator: Z or +hh:mm or -hh:mm |