Security

last person joined: 20 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Authentication by Device Type?

This thread has been viewed 10 times

  • 1.  Authentication by Device Type?

    Posted Feb 25, 2016 03:25 PM

    I'm trying to simplify wireless access for "smart" (actually dumb) devices getting onto our wireless. I'm planning on having an open SSID with a captive portal for guests to self-register for access, and I'd like to use that same SSID for these devices. I would want to have them simply connect to the SSID, get profiled by ClearPass, and have it either grant access or prompt the user to register based on device type (Smart TVs, Apple TVs, Game Consoles, etc.). I've tried testing this but haven't had any success as I always get the captive portal. I know that you can have users register their devices, and I'll use that as a last resort, but I'd really like them to not have to think about it. Is this posssible? TIA!

     

    -Ryan



  • 2.  RE: Authentication by Device Type?

    EMPLOYEE
    Posted Feb 25, 2016 03:27 PM

    Can you post screenshots of your enforcement policy?



  • 3.  RE: Authentication by Device Type?

    Posted Feb 25, 2016 04:10 PM

    Screenshot (25).pngScreenshot (26).png

    This is what I have in the role mapping & enforcement policies now. I first tried it with the Device Type equals Apple iPhone in the enforcement policy and haven't had any luck in either.



  • 4.  RE: Authentication by Device Type?

    EMPLOYEE
    Posted Feb 25, 2016 04:23 PM
    You need to use values from Authorization:[Endpoints Repository] Category,
    Device Name or OS Family. Also, be sure you have the endpoints repository as
    an authorization source.



    I'd recommend tagging the device type in the role map instead of a direct
    role name.



    For example:

    ROLE MAP:

    Authorization:[Endpoint Repository] Device Name
    EQUALS Apple iPhone

    Role = DEVICE_IPHONE



    ENFORCEMENT POLICY:

    Tips:Role EQUALS DEVICE_IPHONE

    AND Tips:Role EQUALS USER_FACULTY
    EP-FacStaff Role


  • 5.  RE: Authentication by Device Type?

    Posted Feb 26, 2016 03:21 PM

    Thank you Tim! Your guidance led me in the right direction. I had to add the endpoints repository to the authentication source AND use the [Allow All MAC AUTH] authentication method. I tested with my phone and a PC laptop and it's working as I want. Now I just need to add in all of my device types and bring some in to test with. Thanks again!



  • 6.  RE: Authentication by Device Type?

    Posted Apr 13, 2016 04:20 PM

    Just wanted to update this as I still don't have things working as I want. By changing the Authentication method to "Allow All Mac Auth", it was just accepting ALL devices, so nobody was getting dumped into the captive portal. I can really only get it working one way, or the other, but not with both. And it also seems to take two authentication attempts for my device to get the role I want.