Security

As one part of a simple ClearPass solution I'm trying to implement, my customer is requesting a "BYOD" SSID that will allow any unknown devices to connect, given proper AD credentials.  However:

- laptops must also pass the OnGuard java applet checks (no problem)

- iPads must be allowed on the same SSID (?)

I know this could be taken care of using the Onboard solution but the customer does not want Onboard or Profile.  I need to find a method to differentiate the access requests coming from iPads so they can bypass the applet as it is not supported by iOS.  One idea I wanted to try was to just allow access if the authentication method was EAP-TLS.  What I've read so far tells me that this would require TLS certificate provisioning on the iPad prior to authentication.  Is there a more simple solution I'm missing for the CPPM to just recognize an iPad sourced request?

Nevermind.  I just learned about DHCP Fingerprinting from the Aruba VRD webpage.

Hi,

If we can do dhcp fingerprint in the controller what is the point to have clearpass?

Besides the guest provisioning part?

I was under the impression that blocking end-point devices should be done using the profiler in the clearpass.

Matching the fingerprint just enables you to recognize the device type.. that doesn't put it on par with a full-fledged profiling solution :)

Clearpass allows you to use the manufacturer and/or OS type as a decision variable during authentication.  The controller will assign a different role during association/authentication, but does not offer the rich policy decisionmaking combinations that is available in clearpass.  In addition, ClearPass is multivendor, so WLAN or LAN manufacturers who are not OS-aware can also leverage the the decisionmaking in clearpass that was not available previously.

this sounds like a sales pitch :-)

since DHCP fingerprinting can assign roles it should sofice for me.

---

@shpapy wrote:

this sounds like a sales pitch :-)

since DHCP fingerprinting can assign roles it should sofice for me.

 

---

shpapy,

It is a sales pitch for whoever needs the solution.  DHCP fingerprinting alone only allows you to change the role of a user based on the OS of the device.  That is good for users like yourself who only want to make a decision based on OS.

 If you have to combine it with other things like teacher+ipad,  and student+ipad you need Clear Pass Policy Manager.

so its more like an extended functionality.

got it.

i have added the following under services-->enfo.

This is working now and blocked Samsung S3 and apple devices.

Is this a good way to implement or should I use profiler or a different option, I have full clearpass license.

Any suggestions will be gladly appreciated.

you are doing this on clearpass now, or the controller?

because i thought that user derivation (i.e. DHCP finger printing) doesnt work with dot1x? also doesnt the above block iPads too?

im not using user role derivation in the controller i do it in the clearpass based on vendor mac.

the controller is not a part of the setup for the blocking.