Security

Reply
New Contributor
Posts: 2
Registered: ‎01-28-2016

Authentication by Device Type?

I'm trying to simplify wireless access for "smart" (actually dumb) devices getting onto our wireless. I'm planning on having an open SSID with a captive portal for guests to self-register for access, and I'd like to use that same SSID for these devices. I would want to have them simply connect to the SSID, get profiled by ClearPass, and have it either grant access or prompt the user to register based on device type (Smart TVs, Apple TVs, Game Consoles, etc.). I've tried testing this but haven't had any success as I always get the captive portal. I know that you can have users register their devices, and I'll use that as a last resort, but I'd really like them to not have to think about it. Is this posssible? TIA!

 

-Ryan

Guru Elite
Posts: 8,180
Registered: ‎09-08-2010

Re: Authentication by Device Type?

Can you post screenshots of your enforcement policy?


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
New Contributor
Posts: 2
Registered: ‎01-28-2016

Re: Authentication by Device Type?

[ Edited ]

Screenshot (25).pngScreenshot (26).png

This is what I have in the role mapping & enforcement policies now. I first tried it with the Device Type equals Apple iPhone in the enforcement policy and haven't had any luck in either.

Guru Elite
Posts: 8,180
Registered: ‎09-08-2010

Re: Authentication by Device Type?

You need to use values from Authorization:[Endpoints Repository] Category,
Device Name or OS Family. Also, be sure you have the endpoints repository as
an authorization source.



I'd recommend tagging the device type in the role map instead of a direct
role name.



For example:

ROLE MAP:

Authorization:[Endpoint Repository] Device Name
EQUALS Apple iPhone

Role = DEVICE_IPHONE



ENFORCEMENT POLICY:

Tips:Role EQUALS DEVICE_IPHONE

AND Tips:Role EQUALS USER_FACULTY
EP-FacStaff Role

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Contributor I
Posts: 29
Registered: ‎12-07-2011

Re: Authentication by Device Type?

Thank you Tim! Your guidance led me in the right direction. I had to add the endpoints repository to the authentication source AND use the [Allow All MAC AUTH] authentication method. I tested with my phone and a PC laptop and it's working as I want. Now I just need to add in all of my device types and bring some in to test with. Thanks again!

Contributor I
Posts: 29
Registered: ‎12-07-2011

Re: Authentication by Device Type?

Just wanted to update this as I still don't have things working as I want. By changing the Authentication method to "Allow All Mac Auth", it was just accepting ALL devices, so nobody was getting dumped into the captive portal. I can really only get it working one way, or the other, but not with both. And it also seems to take two authentication attempts for my device to get the role I want.

Search Airheads
Showing results for 
Search instead for 
Did you mean: