Security

Hello, if this has been asked before I apologize.  We have Aruba 7210 controllers (2 for redundancy), we have Clearpass Enterprise license, Airwave and Aruba wifi APs.  Just curious what you all recommend as far as SSIDs and captive portals.  We have basically 4 categories of devices we want to connect to the wifi:

• College-owned and college-managed windows laptops, ipads, iphones and chromeboxes
• Classroom technology and other vendor-managed devices that need access to various internal resources and internet.  Not necessarily trusted device, usually outdated and unpatched OS'es
• Employees BYOD like personal phones and laptops
• Student BYOD like personal phones and laptops

So currently we have one SSID open with no password or captive portal or anything and this is for students.  We then have a WPA2-RADIUS (Clearpass > Active Directory) SSID for employees.  My question is: is there a better way to handle this?  I've heard you can have one SSID for everyone and then there's user/device-profiling but I know nothing of this.  Should we have 4 SSIDs per the 4 categories above?  Should we have our captive portal(s) in Clearpass or on the controllers?  Anyway just curious if anyone else has had success with a particular strategy, thanks.

#7210

SSID #1: Open or PSK, guests and non-1X capable devices (printers, media players, etc)

 

SSID #2: WPA2-AES 802.1X to handle all devices that support 1X. ClearPass can be used to assign user-roles, VLANs, etc based on your identity stores and profiling data.

Ok, thanks.  What criteria do you use to assign profiles in Clearpass?  Mac address only?  I was hoping for some more secure way of profiling but I don't know how to do that...any help you can give would be appreciated, thanks.

It would really depend on what result you want.

 

You can combine:

• Device type
• User group membership
• User attributes
• Onboard CA
• Posture
• Time of day
• Location
• MAC address

 

Are you working with an Aruba partner?

---

@cappalli wrote:

It would really depend on what result you want.

 

You can combine:

• Device type
• User group membership
• User attributes
• Onboard CA
• Posture
• Time of day
• Location
• MAC address

 

Are you working with an Aruba partner?

---

Thanks.  We bought all our Aruba stuff through CDW.  Should I reach out to them?  Thanks.

If they do ClearPass support, then yes I would.



These types of questions are difficult sometimes on the forums because the
end goal needs to be scoped out.

---

@cappalli wrote:
If they do ClearPass support, then yes I would.



These types of questions are difficult sometimes on the forums because the
end goal needs to be scoped out.

---

Ok, thanks, I'll send them an email.

You are also going to need to figure out a way to differentiate between personal device versus University owned device. We can do this several ways...

 

1. Is there an asset tracking db which has all the corporate owned devices wifi MAC addresses?

2. Are you exploring an MDM vendor like Mobile Iron (you can mark devices as Corporate Owned there).

 

Here is another option you can do...

 

Give each department head an account to OnBoard the departments shared devices (laptop carts, iOS, etc). Make only those accounts be able to OnBoard (AD memberOf attribute). This moves the management of these mobile carts off of IT/HelpDesk and onto the departments themselves.

 

I also recommend looking into our Standalone QuickConnect. You can add a link to the captive portal page that says something like "Students: Tired of having to login? Click here to switch to the SECURE Wifi Network!"

---

@zjennings wrote:

You are also going to need to figure out a way to differentiate between personal device versus University owned device. We can do this several ways...

 

1. Is there an asset tracking db which has all the corporate owned devices wifi MAC addresses?

2. Are you exploring an MDM vendor like Mobile Iron (you can mark devices as Corporate Owned there).

 

Here is another option you can do...

 

Give each department head an account to OnBoard the departments shared devices (laptop carts, iOS, etc). Make only those accounts be able to OnBoard (AD memberOf attribute). This moves the management of these mobile carts off of IT/HelpDesk and onto the departments themselves.

 

I also recommend looking into our Standalone QuickConnect. You can add a link to the captive portal page that says something like "Students: Tired of having to login? Click here to switch to the SECURE Wifi Network!"

---

Thank you Zach.  Answer to question 1:  yes we have an inventory and we have all the wifi mac addresses of the college-owned devices.  Answer to number 2:  We are trying to just use what we have already purchased so there are no plans to get a MDM in the near future but we are aware of those types of systems.  As regards your recommendation to give dept heads OnBoard access:  that sounds neat but wouldn't that require additional "Onboard" licenses (which we are trying to avoid)?  If it does not, do you happen to be able to point me specific steps (or youtube video) that shows how this device onboarding process works?  and how it is more secure than just mac address authentication?  And how I would set all that up on both Clearpass and the controllers?  Sorry...Thanks.