Security

Hello,

I build a service and IM trying to block a device per category.

The device is been classified correctly but is authenticated, IM sure something is messed up with my service classification

can someone advise?

Thanks.

You could do this one of two ways:

1.  You could use the Enforcement Profile as "Radius Deny" or Radius Drop.

2.  If you are going to use Aruba Radius COA enforcement policy, you need two things:

In Configuration> Network> Devices, you need The Aruba Controller as an entry (which you probably have), but you need to make sure that "Enable Radius COA" is checked.  In addition, on the Aruba Controller side, in the AAA profile for this WLAN, you need to define and attach an RFC 3576 server profile (the CPPM server ip address and preshared key), in order for COA to work.

Using option 1.

I got under enforcement so I could extend this role and add the rest of the parameters, BUT under the rules editor there is no category,

I can block by device type and vendor and IM looking for categories, that's why I added authorization source to look for category smartphone and block it but it doesn't work.

 also, cant i use role mapping and then assign a default block role for this?

In Role Mappings, try,

Authorization:[Endpoints Repository] Category Equals SmartDevice

To set a role that you would deny later using the Enforcement Policy.

thats what i have but it dosent work. and the Enforcement Policy dosent support categories from what i see.

Here is a good approach.  Create roles for devices like "Android", "SmartDevice", etc.

In your Role Evaluation Policy, use those rules to Set Roles (Tags) for Devices, and make sure you have "Evaluate All".  So A device could end up with the tags:

[User Authenticated] (built in), Android, SmartDevice.

You then use the Enforcement Policies (First Applicable) to check on the Roles, like if role Equals User Authenticated and Role Equals SmartDevice and Role Equals Android, set it to an enforcement profile that blocks access.

Long story short, Role Mappings are used to set Roles or Tags to Devices.  Enforcement Policies are used to make decisions based on all the Roles (tags) that an incoming authentication has.

ok i see, but how can i pass the tag? just to use the same name ?

can you give an example of this?

also i got several enfo. policy now i need to combine them?

Step1:  Define Any Role (tag) that you want your devices to have in Configuration> Identity> Roles.  For example, I would create one for Android, because that is one attribute that I want to track later.

Step2: In your Role Mapping Policy, write a rule that looks in the Endpoint Repository and If it sees that is an Android, Attach it to the Role Android.

Step3. In your Enforcement Policy use a rule that looks for authentication and TIPS: role Equals Android that you established and then set the enforcement policy to allow or block whatever you want.

Below is an enforcement policy that looks to see if the device authenticated in AD and if it has the Android role, and it sends back a reject to the controller:

Hi Colin,

 I'm just read your old post.... Regarding your Step2 below:

Step2: In your Role Mapping Policy, write a rule that looks in the Endpoint Repository and If it sees that is an Android, Attach it to the Role Android.

If the device is never be connected (and accepted) to that SSID, then that device wouldn't recorded into Endpoint Repository right? So we didn't know whether that device is an Android or not. How to manage this case?

Thanks,

Niko

You would put unprofiled devies into an interim profiling state and enable profiling on the service.

Hi Cappalli,

Could you furnish further about this? thank you....