ClearPass - Network Access Control (NAC) based on Windows Client OS Version and Build number

How to manage Windows client network access based on their OS version and build number in CPPM Enforcement Policies



Summary:  for enforcement policy to be based on "Windows OS Build version" you will need to implement OnGuard, and via the Health Check Service you will be able to witness the Windows Build version.  You will need to create a new Endpoint record to store these details, then create an Enforcement Profile to store the information in the EndpointDB.  From there you can then use roll mapping policies that reference the build number in your services.


From CPPM > Monitoring > Live Monitoring > Access Tracker > 

find a relevant Source = WEBAUTH, Service = Health Check Service record and open it to the Input tab
Scroll down to the Computed Attributes section, here you can find version information collected by OnGuard agent in the Endpoint such as:

Host:    OSArch            x86_64
Host:    OSName            Microsoft Windows 10 Enterprise Edition
Host:    OSNameVersion     Microsoft Windows 10 Enterprise (10.0.17134)
Host:    OSType            Windows 10


The below steps help in creating the required configuration to access the Windows build number. 

From Administration > Dictionaries > Dictionary Attributes > create a new Endpoint attribute as below.


From Configuration > Enforcement > Profiles > create a new enforcement profile of type "Clearpass entity update enforcement" to update the endpoint table with OS version info.

Endpoint > OSNameVersion > %{Host:OSNameVersion}
Update the Posture check service > Enforcement policy to use the endpoint update enforcement profile (created above).


Update the Radius authentication service > Enforcement policy to check the endpoint table OSNameVersion attribute value for selecting the enforcement profile response.


I would like to give credit to Nimal Varampetran for posting the the template for this solution on Airheads on April 21, 2021.

Comments

Post a Comment

Popular posts from this blog

NET::ERR_CERT_INVALID Issues Using AirWave or NetEDIT with Chrome

Image
Using Chrome to login to Aruba Airwave or NetEdit with Unsupported Certificate.   Lately Chrome, Opera, Safari, etc... all but Firefox won't allow connection to ArubaNetworks Airwave with it's self-signed cert installed.  I has this issue with Airwave 8.2.11.  This also works with for similar errors on NetEdit 2.04. There is a workaround for Chrome...  while you are stuck with this issue:   NET::ERR_CERT_INVALID Click anywhere on the rendered page with the error, and simply type: thisisunsafe no need to press enter, just type it in, and you can proceed without probems!!! Credit to Hai Zheng of Twitter for this tip !!! If you think I should add or remove any information from this list, please let me know your thoughts.
Read more

PowerPoint VBA Series - How to loop through each PPTX's Slide Master(s) and it's related Layouts

Image
Looping through Slide Master Layouts Summary: what is demonstrated in this example? determine how many, then loop through how many Slide Masters you have determine how many, then loop through each custom layout of each Slide Master determine if any shape is out of bounds of the Slide Master height if the shape meets certain required conditions set the activewindow so the user can see the slide being examined select the shape with your matching conditions, making it visible to the use later call a subroutine/function to act on your shape pass variables to a subroutine use a case statement that evaluates your shape.type use a msgbox to ask to user what do do with the matching shape If you need to use VBA to update your Slide Master and it's Layouts First, there may be more than one Slide Master, and each SM will likely have multiple layouts. modify the SM, then loop through each of it's layouts to modify them as well repeat for each SM, if more than one exists In the following ex
Read more