Security

Reply
Occasional Contributor I

Blocking Devices Through ClearPass

Before I decide to call Aruba I was wondering if anyone can point me in the right direction or towards the right document.

 

We are in a school and had just implemented ClearPass this past summer. Everything is working great through the way we set it up but now we are being asked to start blocking devices from getting on line. Here is an example:

 

Our school is allowing studnets to bring just iPads to school. We do not want them to get other devices (Windows, iPhone, Android, OSX) on our network. What is the best practice to block those other devices and can we drill down to type (iPad yes, iPhone no) or is it OS based?

 

Thanks

Guru Elite

Re: Blocking Devices Through ClearPass

How are the approved devices authenticating? Onboard? 


Thanks, 
Tim

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I

Re: Blocking Devices Through ClearPass

The devices are approved through authentication in AD with RADIUS on a Windows Server.

Guru Elite

Re: Blocking Devices Through ClearPass

Hm. Ok. Any reason you're not using ClearPass for radius? We could accomplish what you're trying to do if ClearPass is configured as your radius server. 


Thanks, 
Tim

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I

Re: Blocking Devices Through ClearPass

No I was wrong I believe we are using ClearPass for radius.

Guru Elite

Re: Blocking Devices Through ClearPass

Are you using Aruba controllers? 

Apple does not use unique fingerprints for iOS so devices tend to all profile the same so you would potentially allow iPhones on top of iPads. If you have Aruba controllers, we can get more creative. 


Thanks, 
Tim

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I

Re: Blocking Devices Through ClearPass

Thank you for your replies. I am pretty raw with a lot of this stuff and I appreciate your time.

 

We have an Aruba 7210 controller and Airwave as well.

Guru Elite

Re: Blocking Devices Through ClearPass

Ok. Give me a few to mock something up for you :)


Thanks, 
Tim

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I

Re: Blocking Devices Through ClearPass

Awesome thanks

Guru Elite

Re: Blocking Devices Through ClearPass

First you'll want to setup IFMAP.

 

  • Start in ClearPass and navigate to Administration > Users and Privileges > Admin Users
  • Create a new user and call it something like controller-ifmap. Give it a nice long password and the API Admin role.

    add-admin-user-ifmap.PNG

  • Now head over to the controller and run the following:
    ifmap cppm
    
    server host <ip-address-of-clearpass> port 443 username controller-ifmap passwd <controller-ifmap-password>
    
    enable

     

  • If you have multiple ClearPass servers, run the "server host" command for each server.
  • This will populate the Host User Agent field in the endpoints database
  • Back inside ClearPass, we'll need ot create a role called DEVICE_IPAD. Navigate to Configuration > Identity > Roles and click Add. Enter DEVICE_IPAD as the Name and click save.
  • Now we'll need to add some rules to your role map. We can use the existing role map for your service or create a new one. Add rules like below: (also attached)

    device-ipad-role-map.PNG


  • Now you can use this TIPS role (DEVICE_IPAD) in your service rules. So for example, if you have an existing role mapping for students, your rule could read:

    TIPS     Role     EQUALS     STUDENT
    TIPS     Role     EQUALS     DEVICE_IPAD

    Enforcement: [Allow Access Profile]

  • If this service is for an SSID only handling student devices, then you can just set the default profile of the enforcement as [Deny Acess Profile]
  • If this service is serving more than just students, then add a second rule that reads:

    TIPS     Role     EQUALS     STUDENT
    TIPS     Role     NOT_EQUALS     DEVICE_IPAD

    Enforcement: [Deny Access Profile]

 

 

 

Hope this helps.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: