02-26-2013 06:48 AM
Looking for input on a specific challenge. We currently have mobile devices connecting to our corporate SSID via PEAP. We also have a TLS environment built however many laptops have now been configured for PEAP as well. This makes locking down the PEAP environment to a restricted role or captive portal difficult unless fingerprinting is used considering there are thousands of laptops deployed that would be affected. We have have been deploying Airwatch to all our mobile devices and consider any Airwatch devices trusted. Would there be a way to only allow mobile devices that have have been configured with Airwatch on the corporate SSID? I see some integration with Airwatch but it seems difficult to find details on that. If anyone has any experience with that integration that would be great to hear.
03-04-2013 03:47 PM
I don't know much about Airwatch, but if the devices you really trust now are EAP-TLS (rather than PEAP)...
If those same devices are MS OS, why not do a GPO update to them, to convert them to EAP-TLS? Once complete, change the PEAP authenticated devices by setting a role via RADIUS returned attribute?
I'm guessing not all your "really trusted" devices are MS OS? Maybe you thought of this already?
07-22-2013 07:47 PM
With ClearPass, this is very doable. We can key off attributes in the TLS cert to add context. For example, IF TLS Cert value CONTAINS Airwatch, then allow access.
Consulting Systems Engineer - ACCX, ACDX, ACMX
If you found my post helpful, please give kudos