AAA, NAC, Guest Access & BYOD

How to configure device limitations for different users in ClearPass OnBoard?
Requirement:

How to configure device limitations for different users in ClearPass OnBoard?



Solution:

It is possible to configure Clearpass to allow few users to Onboard more devices than the global limit.



Configuration:

It is assumed that we have a working Onboard setup. Onboard provisioning settings is configured to allow one device per user using RADIUS protocol for authorization as shown below:

If the requirement is to allow to certain groups of users to Onboard more devices than other users, then you can follow the below procedure.

To allow the users that are memberof Domain Admins group in the Active Directory to Onboard more than 1 device, we can use the following enforcement profile.

In this example, we want to allow Domain Admins Onboard 2 devices. The conditions and the number are devices are variable. Domain Admin group is chosen as an example.

Navigate to:

1. Configuration » Enforcement » Profiles » Edit Enforcement Profile. 
2. Select Aruba Radius enforcement template and navigate to Attributes tab and select Aruba-Mdps-Max-Devices attribute and set to 2, as shown below:

 

3. Navigate to Configuration » Services » Edit - Onboard Authorization Service and apply as shown below. Set the default profile to [Allow access Profile] which will apply the Max devices count for other users, as specified in the provisioning profile.

 



Verification

If a normal user, who is not part of Domain Admins group, tries to Onboard the second device, they will get the following message during the provisioning process and QuickConnect logs on Windows & Android would exit with Error HTTP status code - 403(Forbidden).

A similar error can be seen in ClearPass Guest application logs as shown below:

 

Note:

If you have Onboard Authorization configured with App-Auth, then we can use the following enforcement profile:

Navigate to:

1. Configuration » Enforcement » Profiles.

2. Select Generic application enforcement template and set the ClearPass:Onboard-Max-Devices to required limit and apply this enforcement profile to Onboard App-Authorization service.

 

 

Version History
Revision #:
2 of 2
Last update:
‎09-01-2016 09:56 AM
Updated by:
 
Labels (1)
Contributors
Comments
p3rl

Useful article (Y) ! 

__________________ 

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.