Connecting the world…

sophos

ClearPass & Sophos Mobile Control

A lot of companies are using MDM to control and manage their (mobile) assets. By connecting the MDM solutions to HPE Aruba ClearPass an organization has the possibility for advanced context-aware access for a (mobile) device to the corporate network, wired and wireless. ClearPass supports multiple MDM solutions via built-in “External Context Servers”, like Airwatch and MobileIron.

The MDM solution from Sophos, Sophos Mobile Control, has no built-in integration with ClearPass. I needed to help a customer to link ClearPass with Sophos Mobile Control, because the customer would like to distinguish BYOD from corporate devices. All corporate devices are managed via Sophos Mobile Control. In this setup, Sophos Mobile Control uses an MSSQL database to store all relevant information. One of the tables in the MSSQL database stores the Wi-Fi MAC address from the asset. I use this table to distinguish the BOYD devices from the corporate devices. If the MAC address of the device is present in the database, the device is a corporate device.

I started by adding the MSSQL database as an authentication source to the ClearPass configuration. The customer created a dedicated SQL user with read-only access to the database. The MSSQL database is added in ClearPass under Configuration – Authentication – Sources. I added a source from the type “Generic SQL DB”.

The next step involves the creation of a proper SQL filter statement. I would like to have the Wi-Fi MAC address as output from the SQL filter. The following SQL filter is used for this (with special thanks to the customer, who had some more experience with SQL statements!!!!)

SELECT LOWER(deviceproperty.value) AS mac_address FROM deviceproperty INNER JOIN device ON deviceproperty.deviceid = device.deviceid WHERE deviceproperty.propertykey = ‘Wi-Fi MAC address’ AND device.managed = ‘managed’ AND deviceproperty.value = ‘%{Connection:Client-Mac-Address-NoDelim}’;

I would like to use the MAC address as a string in the authentication/authorization process. In the end I will check if the MAC address in the RADIUS requests matches a MAC address in the Sophos MDM database. The SQL filter is added in the Filter option within the Authentication Source, like in the image below. Just go to the Attributes tab and choose the option Add More Filters.

The Authentication Source is added to the appropriate Service as Authorization Source. I always add the Source first, before I start to configure some Roles and Role Mappings, because I would like to see which output I receive from the MSSQL database. There are two possible outcomes:

  1. The MAC address exists in the MSSQL database
  2. The MAC address doesn’t exist in the MSSQL database

If the MAC address exists in the MSSQL database, you will see the value of the MAC address in the Access Tracker.

As you can see the MAC address is listed without any delimiter. If the MAC address doesn’t exist in the database, the MAC address won’t be listed in the Access Tracker and you will see the following Alert Message.

Now that we know, which information we receive in the Access Tracker during an authentication request, we can configure the correct Roles and Role Mappings. In this example I assign the Role [VDI Trusted] to the device, when the MAC address from the device equals the MAC address in the MSSQL database.

The last step is easy. Just configure the appropriate Enforcement Policy and Profile you match the Role and set the correct attributes on the Wi-Fi or wired network.

Sophos UTM – An unsupported mechanism

I got some strange issues / problems while testing a Sophos UTM appliance with 9.004-34 software. The Web Security feature is filtering requests and using client authentication. The proxy is using Standard Mode with Active Directory SSO authentication. I testing the proxy by changing the proxy settings on a Citrix server. Everything was working without any problems. Next I tried some standalone workstations and laptops, including my own.

I wasn’t able to authenticate. I got an Authentication Failed in my browser and noticed the following entry in the Web Filter logging.

adir_auth_process_negotiate (auth_adir.c:311) gss_accept_sec_context: An unsupported mechanism was requestedNo error

I didn’t know where to look. I tried different things, like rejoining the Sophos UTM in Active Directory, rebooting the appliance and changing the proxy settings. When using the IP address of the Sophos UTM in the proxy settings the authentication mechanism NTLM is being used. When using the hostname or an DNS alias the authentication mechanism Kerberos is being used.

After some more testing I noticed that authentication failures only occurred when using Kerberos authentication. I did some more research on the internet and I found a lot of people complaining about this issues and blaming the “Windows Live ID Sign-In” component. My browser included this add-on. I disabled it in Internet Explorer, but that didn’t help. I stopped the service via msconfig, but that didn’t help either. Eventually I uninstalled the complete Windows Live Essentials suite from my laptop. This solved the problem!!!

Uninstalling the Windows Live Essentials component from the other laptops and workstations also resolved their problems. Till now I still don’t know why Windows Live Essentials “breaks” the Kerberos authentication process.

Sophos UTM – WebAdmin access via proxy and IE9

I just configured a Sophos UTM cluster based on software version 9. I was able to configure the appliance via WebAdmin and I could access the User Portal without any problems. The customer is using a Citrix based environment with Internet Explorer 9. IE9 is configured to use the Sophos UTM cluster as proxy server. The customer was able to access the User Portal, but he couldn’t access the WebAdmin page.

When they tried to access the WebAdmin page, the page isn’t shown correctly. The page is crippled and you don’t get the login options for entering username and password. We tried different settings, like adding the page to the trusted websites and to the proxy exemptions. Nothing seemed to help. We asked mighty Google for help and we found the following thread.

The following snippet from the thread solved the problem:

Had one of my guys have this problem already… remove the URL for the UTM from the Compatibility View list (in his case, he had to uncheck the “view intranet sites in compatibility view” checkbox in IE).

The customer changed this Group Policy Object in Active Directory and everybody was happy.