Self-Register & Self-Sponsor Solution (Validated )

(1)

Self-Register & Self-Sponsor Solution

(Validated email)

Derin Mellor – Aruba Networks

Michael Clarke – Secure Data Ltd

CPPM v 6.3.4

AOS v 6.3.1.8

21

st

July 2014

v 1.4

Overview ... 3 Workflow ... 4 Controller Configuration ... 6 User-Roles ... 6

User Session Timeout ... 6

RADIUS Accounting & CoA ... 7

CPPM Configuration ... 8

Create Following Roles ... 8

Create Following Enforcement Profiles ... 10

“RADIUS Based Enforcement” profiles ... 11

“Session Restriction Enformcement” profiles ... 12

CPPM Guest and MAC Authentication Services ... 13

CPPM Guest Service ... 13

Update demo Guest MAC Caching Profile ... 18

Update Roles and Enforcement to reflect new roles created ... 18

(2)

Establishing the Sponsor state ... 20

MAC Authentication Service ... 22

Role Mapping ... 23

Enforcement Policy ... 23

CPPM Account Cleanup ... 25

CPG Configuration ... 27

Create a Self-Sponsored Email Receipt ... 27

Create Guest Self-Registration Form ... 29

Configure Self-Registration to send a Self-Sponsored Receipt ... 30

Edit Registration’s “Forms & Views” ... 35

SMTP Configuration ... 40 User Experience ... 42 Registration State ... 42 PreAuth State ... 43 Sponsored State ... 46 Account Expiry ... 51

Administrator Guest Account Control ... 53

CPG Active Account Disconnect ... 53

CPG Active Account Reauthorize ... 53

CPG Disable Guest Account... 54

CPG Delete Guest Account ... 54

(3)

Overview

It is often requested to verify an email address for auditing purposes. This can be problematic given our purpose is to limit network access to the user.

There are two lines of thought with trying to get a user to validate their email.

• Enforce validation. Restrict access to network unless the user validates their email. The preauth

role could be restricted in bandwidth, allowed ports and even certain websites. The user experience would be poor unless they validated the email. We could also have a short time-limited access. Note: I cannot work out how to stop users continuously registering and getting the short time access.

• Encourage validation. Rather than restricting access and rights, we may want to encourage the

user to validate their email and reward them with an enhanced service such as higher bandwidth and opening of vpn ports. This could be useful for retail environments where we want to give the users access, but would like to engage further with the user if they actually go ahead and validate the email.

This How-To will focus on the first option and step you through granting someone limited short term access to check their email, and verify the account. After sponsoring the registration, the account is expired and purged after 4 hours. You should change these values depending on your own

requirements.

It is largely based on How-to:_Sponsored_Self-Registration. Where you read sponsored, think validated.

• This solution should be considered as Beta and used with caution in a live environment. • This solution does not represent an officially sanctioned Aruba solution, but is merely provided

for reference purposes.

• There are probably alternative or better ways of achieving this.

• You should not deploy this in a live environment unless you have completely validated and

understand it within a test environment.

• This may break your existing deployment.

• The authors of this solution take no responsibility whatsoever if it breaks your existing

(4)

Conceptual State Table

Workflow

This workflow articulates the Conceptual State Table show above:

Device Unknown

1) Unknown device connects to Guest SSID

2) Controller forwards MAC Authentication to CPPM

Registration

3) CPPM accepts MAC Authentication and assigns Registration captive portal OR CPPM reject MAC Authentication - unknown device

This relies on Controller to assign the guest registration role automatically 4) Controller places Guest’s device into Registration captive portal (demo-registration)

This user-role has a redirect for HTTP/HTTPS traffic to CPPM’s guest portal 5) Guest attempts to browse

6) Controller redirects web traffic to CPPM’s guest portal 7) CPG presents the guest portal registration page

8) Guest fills in their name and email address and submits

(5)

10) Guest accepts the login page – HTTP Post to CPG 11) CPG redirects HTTP login to Controller

12) Controller converts the HTTP Post to a RADIUS Request with the necessary login details

PreAuth

13) CPPM accepts the login: moves Device into a demo-preauth role This has internet access for a 10 minute grace period

If the Guest is not (self)sponsored within 10 minutes: Device is disassociated from the WiFi and the guest account purged Device Unknown

14) Guest uses this "grace period" to access his/her email 15) Guest "confirms" the emails self-sponsorship

This effectively validates the email address

16) CPG receives the sponsor confirmation and update Insight with the information

Controller Configuration

User-Roles

The Controller, or equivalent, has to be configured with three specific user-roles:

Registration: Only allows DHCP and DNS, redirects HTTP and HTTPS to CPG’s guest authentication portal page

demo-registration: Only allows DHCP and DNS, redirects HTTP and HTTPS to CPG’s guest authentication portal page.

demo-preauth: Currently full access, but this could be restricted if needed.

demo-sponsored: Allows for normal guest access to the internet. Currently same rights as preauth role.

User Session Timeout

The Controller must be configured to accept RADIUS Session-Timeout parameter from CPPM: Allows HTTP and HTTPS to CPG

Redirect to CPG guest portal

(7)

RADIUS Accounting & CoA

The Controller must be configured with RADIUS Accounting. If using bandwidth control (not tested) Interim Accounting must also be configured.

Need Change of Authorization

(8)

CPPM Configuration

Create Following Roles

Create four new roles Unsponsored Device, PreAuth, Sponsored and Expired. These are used to determine the state of the Guest.

(9)

(10)

Create Following Enforcement Profiles

(11)

(12)

(13)

CPPM Guest and MAC Authentication Services

Use the CPPM’s ConfigurationService TemplateGuest MAC Authentication to create the Captive Portal Authentication and MAC Authentication services.

Enter the relevant vales and create the Service.

CPPM Guest Service

The Service’s Enforcement has to be enhanced to differentiate between PreAuth and Sponsored states. Create new enforcement profiles to match the preauth and sponsored states. You should copy all the existing ones that were created above and change the details as per the screenshots and below table.

(14)

(15)

(16)

Enforcement Profile Name Details Notes

demo PreAuth Guest Bandwidth Limit

Bandwidth-Check:Allowed-Limit=0 Unlimited. This may not work properly anyway if enforced due to 10 mins session timeout and interim accounting interval of 10 mins. demo PreAuth Guest Do

Expire

Expiry-Check:Expiry-Action=%{GuestUser:do_expire} demo PreAuth Guest Expire

Post Login

Expire-Time-Update:GuestUser=%{GuestUser:expire_postlogin} demo PreAuth Guest MAC

Caching

Endpoint:Username=%{Authentication:Username} Endpoint:Guest Role ID=4

This will update the Endpoint database with the appropriate role attributes. demo PreAuth Guest

Session Limit

Session-Check:Active-Session-Count=%{GuestUser:simultaneous_use} Post-Auth-Check:Action=Disconnect and block access

This is defined by the initial value specified when creating the service. It can be overridden with a

(17)

static value if need be.

demo PreAuth Guest Session Timeout

Radius:IETF:Session-Timeout=600 10 mins to allow confirmation of email.

demo PreAuth Guest User Role

Radius:Aruba:Aruba-User-Role=demo-preauth demo Sponsored Guest

Bandwidth Limit

Bandwidth-Check:Allowed-Limit=0 demo Sponsored Guest Do

Expire

Expiry-Check:Expiry-Action=Disable and Logout demo Sponsored Guest

Expire Post Login

Expire-Time-Update:GuestUser=%{GuestUser:expire_postlogin} demo Sponsored Guest MAC

Caching

Endpoint:Username=%{Endpoint:Username} Endpoint:Guest Role ID=5

This will update the Endpoint database with the appropriate role attributes. demo Additional Device

Update demo Guest MAC Caching Profile

Update Roles and Enforcement to reflect new roles created

Policy Conditions

(19)

Only allow one device per user. (This has been set to 3 at the moment for testing purposes)

Condition 2: PreAuth

This happens when a devices registers and then hits ‘login’. They get the preauth role with full access, but with a session-timeout of only 10 mins.

NOTE: On testing the “roles” passed into CPPM’s Enforcement Policy at initial login are both PreAuth and [Guest] – I believe this is because [Guest] is inherent by the CPPM’s guest account.

Condition 3: Sponsored

This will only be hit if an existing user attempts to login again by entering his username and password credentials – this is unlikely due to the MAC Caching.

Note: This will also apply if more than one device is allowed for each guest account. When a different device connects and uses a valid username/password, the ‘demo Additional Device Guest MAC Caching’ with return Endpoint:Username=%{Authentication:Username}. Essentially, this will be the username that the device is using to login with. The endpoint has no value for ‘remaining_expiration’ yet, so there is no session timeout value sent, though this will be updated in the next mac-auth.

Default Condition [Deny Access Profile]

(20)

Update demo Guest MAC Authentication Service

The primary challenge is to achieve MAC Caching for only Sponsored devices. The challenge with MAC Caching is the useful information about the recently authenticated guest resides in the Insightdb and the endpoint information resides in the tipsdb.

Establishing the Sponsor state

When the device connects the MAC Auth service needs to valid the “Sponsor” state. This exits in the Insightdb. CPPM already uses the IETF Calling StationID (MAC address) to extract the

Endpoint:Username from the tipsdb. This name can then be used to search the Insightdb to extract the Sponsor “state”:

We need to add an additional attribute to the Insight Repository.

SELECT role_name AS sponsor FROM guests WHERE username = '%{Endpoint:Username}';

(21)

Remaining Session Timeout

We also need to add an attribute to the “demo MAC-Guest-Check” Authorisation source. This will determine if the session has expired or not.

SELECT CAST(EXTRACT(epoch FROM (expire_time - NOW())) AS INTEGER) AS remaining_expiration FROM tips_guest_users WHERE ((guest_type = 'USER') AND (user_id = '%{Endpoint:Username}') and (enabled = 't'))

MAC-Expires attribute: Establishes the remaining time prior to the account expiring.

Create a new ClearPass Enforcement Profile that returns the remaining session time within the RADIUS Session-Timeout attribute:

(22)

MAC Authentication Service

This is much more important due to aggressive power saving by SmartDevices. Because of this we have to take into consideration the following scenarios:

• MAC Authentication during first time connect. • MAC Authentication during PreAuth stage.

• MAC Authentication once sponsored (this includes the initial CoA).

When the device causes a MAC Authentication it hits the following service:

NOTE: By default the sponsorship confirmation in CPPMv6.3 (beta) does not automatically change the associated device’s Endpoint repository Sate from Unknown to Known. This can then be forced with the Enforcement Policy on the first successful MAC Authentication within the Sponsored state. Likewise the Guest Do Expire = 2: Disable and Logout at specified time – this then relies on CPPM’s CleanUp to purge sponsored accounts. The other consequence of this is that in the Registration state CPPM will assign the unknown device’s role (rather than rely on the Controller).

Set the Authentication to Allow All MAC Auth

(23)

Role Mapping

(24)

Policy Conditions

Condition 1: Non-Expired Sponsored & Unknown Device – first MAC Authentication after sponsorship. Note: Originally the role evaluation was set to ‘Evaluate-all’, but now set to ‘First-applicable’ so this rule will probably never be hit, but has been left in.

• Update Endpoint Known and change attribute in Endpoint DB, RoleID=5 • Send Aruba-User-Role=demo-sponsored.

• Send session-timeout= %{Authorization:demo MAC-Guest-Check:MAC-Expires} • Username = %{Endpoint:Username}

Condition 2: Non-Expired, sponsored & Unknown device – Guest account that has been sponsored by a different device. This is not likely with a short Preauth session, but for longer sessions, this may be relevant. Basically, the account is validated with a different device on a different network (requires Clearpass is accessible, typically over internet). The original device connects, but it is still Unknown. Alternatively, this is the first mac-auth after sponsorship.

• Update Endpoint Known and change attribute in Endpoint DB, RoleID=5 • Send Aruba-User-Role=demo-sponsored.

• Send session-timeout= demo sponsored session timeout (4 hours)

• Username = %{Endpoint:Username}

Condition 3: Non-Expired, Sponsored & Known device – a device that has registered and email validated and has previously done a mac-auth and had endpoint marked as Known after hitting condition 2 above.

• Update Endpoint Known and change attribute in Endpoint DB, RoleID=5 • Send Aruba-User-Role=demo-sponsored

• Send session-timeout= %{Authorization:demo MAC-Guest-Check:MAC-Expires}

• Username = %{Endpoint:Username}

Condition 4: Non-Expired PreAuth Device – a device that has registered but not validated email, and does mac-auth within the 10 mins.

• Update Endpoint Unknown. Problems during testing with previously registered devices that had not registered and marked as Known. This ensures that only sponsored devices are marked as Known.

• Send Aruba-User-Role=demo-preauth

• Send session-timeout= %{Authorization:demo MAC-Guest-Check:MAC-Expires}

• Username = %{Endpoint:Username} Condition 5: Unknown Device – Registration role

(25)

• Send Aruba-User-Role=demo-registration • Send session-timeout= 10 mins

Condition 6: Expired device- Registration role.

• Send Aruba-User-Role-demo-registration • Send session-timeout=10mins

Default: [Deny Access Profile]

CPPM Account Cleanup

Cleaning up CPPM’s Guest and Endpoint databases will be important to minimize excessively large obsolete guests and devices. These values may be different depending on the purpose of this solution and circumstances.

(26)

When the PreAuth Guest expires it is automatically deleted. But the Device in the Endpoint is not. To clean this up I reduce the “Unknown endpoints cleanup interval” = 1 day.

Once a Guest and Device are registered I rely on CPPM’s clean up – rather than then Guest Do Expire and Guest Expire Post Login profile options.

The Sponsored Guest are kept for a longer time so that their information can be exported via an Insight report.

(27)

CPG Configuration

Create a Self-Sponsored Email Receipt

In ConfigurationPrint Templates duplicate the Sponsorship Confirmation template:

Edit the “Copy of Sponsorship Confirmation”:

Change the name to “Self Confirmation”:

Edit the template as you see fit. The default wording is narrated towards a sponsor. Edit it to be towards the guest. At minimum, remove A visitor has requested access naming you as the sponsor. It is vital the link itself remain intact.

<a href="{'guest_register_confirm.php'|NwaGetAppUrl}?token={$u.register_token|rawurlencode}" target="_blank">click here</a>

(28)

Edit the message to the visitor

(29)

Above shows what the self-sponsorship request looks like. This can be customized as required.

Create Guest Self-Registration Form

(30)

Configure Self-Registration to send a Self-Sponsored Receipt

Setup for validated access is within the Receipt Actions section of a self-registration. Navigate to

ConfigruationGuest Self-Registration

Receipt Header

Click Header under the Receipt Page:

Edit the Receipt Header and append something along the lines of: <p>

You are being emailed a confirmation email that you must click in order to gain complete access to the network.

(31)

(32)

Actions

Click Actions under the Receipt Page:

Check Sponsorship Confirmation

(33)

A new section will appear:

Select the “Self

Confirmation” printer template Make sure this is left

(34)

Account will expire after 4 hours

New user-role to assign

(35)

Edit Registration’s “Forms & Views”

Click ‘Back to Guest Self Registration’ and then edit the demo page.

Click on ‘Form’ to edit the fields

Note, previously in 6.2 we edited the guest_register form and changed the values there, but this didn’t work when I tried, or rather it did not use this form.

(36)

Disable “expire_after”

Insert After “modify_expire_time”

Select expire_after and click Insert After. In the dropdown select modify_expire_time and allow the page to refresh.

Disable here

(37)

(38)

(39)

Edit “role_id”

This will be the initial RoleID passed from CPG to CPPM

4 will map to PreAuth role

(40)

SMTP Configuration

This is configured on CPPM:

(41)

(42)

User Experience

Registration State

Guest peers on to SSID

Unknown MAC address – assign Registration role:

Controller:

(43)

Controller redirects to CPG’s Guest portal CPG respond with guest login screen Guest fills in page and submits

At this point CPG sends an email to the supplied email address: CPG presents to the guest a login page:

Hitting “Log In” effectively assigns the PreAuth state.

PreAuth State

CPG Shows the account created with preauth role

CPPM’s AccessTracker reports the authentication:

NOTE: This expires in 10 minutes

(44)

CPPM applies the following PreAuth policy:

Controller reports the User Role = demo-preauth = Captive Portal.

(45)

Device does a MAC auth before sponsoring. This is reported in CPPM

(46)

Account Expiry

If the device subsequently connects while the account has expired, it is blocked it and will be placed in the demo-registration role.

If the account is disabled, this will trigger a CoA that will then put the device into the demo-registration role.

If expired, then the Mac-Expires attribute has been purged and the device will hit the Expired role.

This will be given the Expired role within CPPM.

(52)

(53)

Administrator Guest Account Control

CPG Active Account Disconnect

This forces the device to disconnect. The device immediately performs a new MAC Authentication – which is successful as no credentials have changed.

CPG Active Account Reauthorize

This allows you to dynamically change the role base on the CoA with a Filter-ID = role name. This works fine.

(54)

CPG Disable Guest Account

Connected device is disconnected within 5 minutes. Believe this is related to the Lazy Poller?

Note: This seems to happen straight away now, and the device reconnects and is marked as expired and given demo-registration role.

CPG Delete Guest Account

Connected device is disconnected within 5 minutes. Account is removed.

The associated device in CPPM Endpoint Repository is not removed.

Extracting Guest Details

Use the CPG’s Guest Export Accounts to CSV and process in Excel looking for Role=demo-sponsored.