Security

Hello,

I'm having doubts about the best solution for connecting some ipads and android tablets to our network. Those tablets are used by several people in our warehouse to lookup information on the internet and e-mail working sheets to teamleaders. The devices are used by other people after a couple hours. Those people are sometimes from an external employment agency or from employees without a personal account in our Active Directory.

My question is, what is the best way to deal with this? We already have some wireless networks with separate SSID's broadcasting in our company, but this is with AD user authentication for employee mobile devices, with AD computer authentication for company laptops or with a Clearpass Guest portal for guest internet access. Each of these has it's own SSID with a Virtual AP.

What should work for this? My first idea is local accounts with Clearpass, this way we can create personal local accounts at Clearpass, and create a separate SSID for those devices, but this way the accounts can also be used for other devices or told to other people, the account is not bound to the device, or can there be a combination, that the user account is bound to a mac address? Or is there a better/easier way to manage this? Is it better to look into Clearpass Onboard for this purpose?

The current products we use are:

Aruba 3600 controllers with firmware 6.2.1.2

Clearpass 6.1.2.53442

Any help is appreciated.

Thank you in advance.

Kind regards,

Roland

A couple of suggestions.

1. Bind the MAC address to that user account in a ClearPass role map.  For the user account, you can match on a memberof, userID, or simply check the source as "local user repository".  

For example:

OR

That role would define an action (Aruba User Role) in your service's enforcement policy.  

Now...I would urge you to reduce the amount of SSIDs in your environment.  There is no reason why these tablets cannot use the same SSID as your AD authenticated SSID.  Using context within ClearPass, we can assign a role and even tie a different VLAN to that role if needed in the controller.

Another option is to user ClearPass onBoard to install a TLS certificate to those devices.  How many are we talking about?  With 6.2, we can even take them under MDM management!!! (iOS only at launch)

See if this helps you out

You can have two SSIDs :

- One for Corporate Users / Employee Role 

   * Employee BYOD Role and another VLAN  < Allow only internal things if you want to restrict those>

- One for Guest /Guest Role < Deny internal access and only allow internet/VPN access> 

One of the things that you can do is that you can match in ClearPass based on the device type and the  and place them in a particular ROLE(more restrictive) using the same Service you are currently using to authenticate your Corporate users .

Here's an example of how you can do this:

http://community.arubanetworks.com/t5/ClearPass-formerly-known-as/CPPM-RADIUS-Authenticatiion/m-p/87764#M2875

 Edit : Seth beat me to it

Hello Seth and Victor,

Thank you both for the answers. I will try to setup this and bind the mac address with the role mapping. I will use an existing service and with the existing SSID we already use. I assume that I need to create a device group with  the mac addresses for the tablet devices, or do I need to have the static host list for this purpose?

Seth, about the Clearpass Onboard, to start with it will be a test only for 10 - 20 devices, if the test is successful more devices are added. The first on is going to test with an iPad, but later on also Android devices will be used. Is this still an option for us, what is the benefit? We use Clearpass Enterprise licenses and still have enough available when I look in the licensing.

What is recommended?

Thanks again,

Roland

You create a static host list in CPPM - Configuration --> Identity --> Static Host List.  It isn't a device group...that is for NASs.

The static host list + username in a role map should accomplish what you are looking to do.  OnBoard will add the capability of installing a TLS certificate which can be used to designate a role differentiation on the controller.  In addition, with 6.2, we have released WorkSpace and MDM management for iOS.  Here, we can actively manage the iOS device and ver the air restrict, change, etc... device level settings like the camera, iCloud, iTunes, sharing, etc...  We can also remote wipe and lock the device as well.  

You should be able to use the starter enterprise licenses to begin your testing.  Keep in mind that OnBoard doesn't use the elastic averaging licensing model.  Once you deploy a cert, your license count decrements by 1 until you revoke/delete that cert.

Nice, this is working as expected. 

Thanks!

Roland

Seth,

Can you clarify this statement for me?
" Once you deploy a cert, your license count decrements by 1 until you revoke/delete that cert."

My understanding is that a revoked cert still counts to your over all license count, where as a deleted cert would not.  

Here is a section from the lic guide

• ClearPass Onboard Licensing

ClearPass Onboard takes a slight departure from the authenticating endpoint licensing scheme discussed for all of the previous products. Onboard is essentially enrolling and provisioning a device onto the secure customer network and hence is licensed per device that passes through the onboarding process.

For example, in a classic BYOD scenario in a customer environment that has 500 employees, the estimated number of devices could be a phone and tablet per employee. This results in a capacity requirement for 1000 devices that will require onboarding.

As each device is enrolled onto the network and provisioned with a unique device credential, this credential will be become the identifier for the Onboard license manager. While that device retains a valid device credential that has not expired or been administratively revoked and deleted, the Onboard license will be considered utilized.