Security

Before I decide to call Aruba I was wondering if anyone can point me in the right direction or towards the right document.

 

We are in a school and had just implemented ClearPass this past summer. Everything is working great through the way we set it up but now we are being asked to start blocking devices from getting on line. Here is an example:

 

Our school is allowing studnets to bring just iPads to school. We do not want them to get other devices (Windows, iPhone, Android, OSX) on our network. What is the best practice to block those other devices and can we drill down to type (iPad yes, iPhone no) or is it OS based?

 

Thanks

How are the approved devices authenticating? Onboard? 


Thanks, 
Tim

The devices are approved through authentication in AD with RADIUS on a Windows Server.

Hm. Ok. Any reason you're not using ClearPass for radius? We could accomplish what you're trying to do if ClearPass is configured as your radius server. 


Thanks, 
Tim

No I was wrong I believe we are using ClearPass for radius.

Are you using Aruba controllers? 

Apple does not use unique fingerprints for iOS so devices tend to all profile the same so you would potentially allow iPhones on top of iPads. If you have Aruba controllers, we can get more creative. 


Thanks, 
Tim

Thank you for your replies. I am pretty raw with a lot of this stuff and I appreciate your time.

 

We have an Aruba 7210 controller and Airwave as well.

#7210

Ok. Give me a few to mock something up for you :)


Thanks, 
Tim

Awesome thanks

First you'll want to setup IFMAP.

 

• Start in ClearPass and navigate to Administration > Users and Privileges > Admin Users
• Create a new user and call it something like controller-ifmap. Give it a nice long password and the API Admin role.
  
  
  
  
• Now head over to the controller and run the following:
  

  ifmap cppm
  
  server host <ip-address-of-clearpass> port 443 username controller-ifmap passwd <controller-ifmap-password>
  
  enable

   

• If you have multiple ClearPass servers, run the "server host" command for each server.
• This will populate the Host User Agent field in the endpoints database
• Back inside ClearPass, we'll need ot create a role called DEVICE_IPAD. Navigate to Configuration > Identity > Roles and click Add. Enter DEVICE_IPAD as the Name and click save.
• Now we'll need to add some rules to your role map. We can use the existing role map for your service or create a new one. Add rules like below: (also attached)
  
  
  
  
  
• Now you can use this TIPS role (DEVICE_IPAD) in your service rules. So for example, if you have an existing role mapping for students, your rule could read:
  
  TIPS     Role     EQUALS     STUDENT
  TIPS     Role     EQUALS     DEVICE_IPAD
  
  Enforcement: [Allow Access Profile]
  
  
• If this service is for an SSID only handling student devices, then you can just set the default profile of the enforcement as [Deny Acess Profile]
• If this service is serving more than just students, then add a second rule that reads:
  
  TIPS     Role     EQUALS     STUDENT
  TIPS     Role     NOT_EQUALS     DEVICE_IPAD
  
  Enforcement: [Deny Access Profile]

 

 

 

Hope this helps.

Thanks.

I will test this out and let you know.

It looks like it worked. I talked to Aruba on another issue and then we talked about this. They went ahead and made changes to clearpass policies saying it would work easier than this method, which worked. So far everything is working. 

 

Thanks.

As another follow-up since this morning. It turns out we had other settings in clearpass that were causing issues. Different enforcement profiles were in place that were causing us other issues. Anatoli (sp?) from Aruba helped me clear out the policies that were the issue and now everything works!