Security

Reply
New Contributor
Posts: 2
Registered: ‎05-24-2016

Best way to distinguish a device type in clearpass

Hi All,

 

I'm new here and I've searched around but can't seem to find what I'm looking for!

 

My question is:

 

When using CPPM what is the best way to distinguish between different device types for the purposes of dynamic VLAN assignment and RBAC.

 

I know you can use:

DHCP thumbprinting

OS Type

OS Fmaily

MAC address groups

AD Computer Groups etc

 

I want to know from experience which of these you guys have had the best experience with?

 

The issue I'm working to solve is a best way of assigning devices to a specific VLAN and then based on the user logged in to them assigning a controller role to determin their access to the network.

 

An example is: 

 

If device is a chromebook and user logged on is staff then assign to chromebook user role and assign to VLAN 99. This design is to enable a network based web filter (I know most web filters are user centric these days but unfortunately we have no control over it) device to destinguish if the device is student or staff but limit the chromebook device to only speak with a management server and nothing else using PEF. So which way of defining the device type is best?

 

Hope that makes sense!

 

Look forward to hearing your suggestions.

 

Steve

 

MVP
Posts: 395
Registered: ‎05-09-2013

Re: Best way to distinguish a device type in clearpass

If your only concerned with Chromebooks, you can setup the Google Admin Console as an Endpoint Context Server, which would apply attributes including the device type as Chromebook, which you can then key off of. Otherwise, I've had pretty good success with DHCP fingerprinting, just add an IP helper address for ClearPass to the VLAN interfaces required. You could also using Profiling in the service, which would terminate session and force reconnect with device type now being known.


Thank you.

Michael Haring | AIS Consultant
Architecture and Implementation Solutions
Optiv Security Inc. | www.optiv.com
New Contributor
Posts: 2
Registered: ‎05-24-2016

Re: Best way to distinguish a device type in clearpass

Thanks Michael,

 

That would be a good idea for the Chromebooks agreed, I'm also looking to do similar things with iOS devices and smart phones. So it needs to fit all device types.

 

Do you think pairing the admin console with one of the other methods will achieve the desired results of assigning controller roles to devices and VLAN's per user? I'm just concerned that if I opt for methods other than MAC address groups that we risk allowing any staff / student device on the network regardless of it being owned by the organisation.

 

Thanks again,

Steve

Aruba Employee
Posts: 2
Registered: ‎10-01-2013

Re: Best way to distinguish a device type in clearpass

Steve,

The only way I know of to make sure your school owned devices are the only ones getting on is to set an attribute in the endpoint database that is manually put in or only put in when a device is connected to a particular user or switch/AP.

 

For example, if you get a list of MAC addresses when you purchase a group of Chromebooks/iPhones/iPads, you could import them with the endpoint attribute of "School Owned" = True (for example) and then key on that attribute along with the User authentication to allow them on the correct VLAN, etc.

 

If you don't get that list, but you have to get the devices out of the box and make sure they have a config on them, make sure they connect to a "Lab" AP/Switch and have a rule that if they connect to that AP/Switch, then add the attribute "School Owned" = True.

 

The general idea is that you have to do something "Out of Band" (like these 2 examples) of the normal user connection.  Maybe think of it as a "Virtual Asset Tag"

 

Thanks!
Chuck

MVP
Posts: 395
Registered: ‎05-09-2013

Re: Best way to distinguish a device type in clearpass

You could also use the profiler in the ClearPass service.

 

Any OS / Make / Model = Aruba Terminate Session. 

 

It would send a COA to the controller, make sure you have ClearPass setup as an RFC3576 server and in ClearPass you have the controller enabled for RFC3576 in the network device settings. 

 

You could then put logic into the Role Mapping policy for the service that checks things such as:

 

IF Device OS = Chrome THEN Assign role CHROMEBOOK

IF Device OS = Windows THEN Assign role WINDOWS PC

IF Device OS = Apple THEN Assign role MACBOOK

IF AD memberOf = Staff THEN Assign role STAFF

IF AD memberOf = Student THEN Assign role STUDENT

 

I would do evaluate all in the Role Mapping, then in the Enforcement, just need to combine the roles and assign the VLAN / User Role assignments based on the combinations. Always put the most specific on top, for example:

 

TIPS Role MATCHES ALL = Chromebook, Staff THEN Action = VLAN 1, User Role Staff

TIPS Role MATCHES ALL = Chromebook, Student THEN Action = VLAN 2, User Role Student

TIPS Role MATCHES ALL = Chromebook THEN Action = VLAN 3, User Role Chromebook

 

You can filter on Machine Authentications and User Authentications as well to identify if it's a domain joined machine or personal machine. If it machine authenticates successfully, it's company owned.

 

Chromebooks - Use Google Admin Console to identify if they are company owned

Windows - Use Machine Authentication (if their domain joined)

Macbooks - May need to find another attribute or use Generic SQL query to check a database of the devices.

Mobile Devices - Use MDM such as AirWatch


Thank you.

Michael Haring | AIS Consultant
Architecture and Implementation Solutions
Optiv Security Inc. | www.optiv.com
Search Airheads
Showing results for 
Search instead for 
Did you mean: