01-23-2015 05:50 AM
Before I decide to call Aruba I was wondering if anyone can point me in the right direction or towards the right document.
We are in a school and had just implemented ClearPass this past summer. Everything is working great through the way we set it up but now we are being asked to start blocking devices from getting on line. Here is an example:
Our school is allowing studnets to bring just iPads to school. We do not want them to get other devices (Windows, iPhone, Android, OSX) on our network. What is the best practice to block those other devices and can we drill down to type (iPad yes, iPhone no) or is it OS based?
01-23-2015 05:56 AM
01-23-2015 06:06 AM
Apple does not use unique fingerprints for iOS so devices tend to all profile the same so you would potentially allow iPhones on top of iPads. If you have Aruba controllers, we can get more creative.
01-23-2015 07:05 AM - edited 01-23-2015 07:05 AM
First you'll want to setup IFMAP.
- Start in ClearPass and navigate to Administration > Users and Privileges > Admin Users
- Create a new user and call it something like controller-ifmap. Give it a nice long password and the API Admin role.
- Now head over to the controller and run the following:
ifmap cppm server host <ip-address-of-clearpass> port 443 username controller-ifmap passwd <controller-ifmap-password> enable
- If you have multiple ClearPass servers, run the "server host" command for each server.
- This will populate the Host User Agent field in the endpoints database
- Back inside ClearPass, we'll need ot create a role called DEVICE_IPAD. Navigate to Configuration > Identity > Roles and click Add. Enter DEVICE_IPAD as the Name and click save.
- Now we'll need to add some rules to your role map. We can use the existing role map for your service or create a new one. Add rules like below: (also attached)
- Now you can use this TIPS role (DEVICE_IPAD) in your service rules. So for example, if you have an existing role mapping for students, your rule could read:
TIPS Role EQUALS STUDENT
TIPS Role EQUALS DEVICE_IPAD
Enforcement: [Allow Access Profile]
- If this service is for an SSID only handling student devices, then you can just set the default profile of the enforcement as [Deny Acess Profile]
- If this service is serving more than just students, then add a second rule that reads:
TIPS Role EQUALS STUDENT
TIPS Role NOT_EQUALS DEVICE_IPAD
Enforcement: [Deny Access Profile]
Hope this helps.