Security

Reply
New Contributor

CPPM - Differentiating authentication requests coming from iPads

As one part of a simple ClearPass solution I'm trying to implement, my customer is requesting a "BYOD" SSID that will allow any unknown devices to connect, given proper AD credentials.  However:

 

- laptops must also pass the OnGuard java applet checks (no problem)

- iPads must be allowed on the same SSID (?)

 

I know this could be taken care of using the Onboard solution but the customer does not want Onboard or Profile.  I need to find a method to differentiate the access requests coming from iPads so they can bypass the applet as it is not supported by iOS.  One idea I wanted to try was to just allow access if the authentication method was EAP-TLS.  What I've read so far tells me that this would require TLS certificate provisioning on the iPad prior to authentication.  Is there a more simple solution I'm missing for the CPPM to just recognize an iPad sourced request?

New Contributor

Re: CPPM - Differentiating authentication requests coming from iPads

Nevermind.  I just learned about DHCP Fingerprinting from the Aruba VRD webpage.

Frequent Contributor I

Re: CPPM - Differentiating authentication requests coming from iPads

Hi,

If we can do dhcp fingerprint in the controller what is the point to have clearpass?

Besides the guest provisioning part?

I was under the impression that blocking end-point devices should be done using the profiler in the clearpass.

 

New Contributor

Re: CPPM - Differentiating authentication requests coming from iPads

Matching the fingerprint just enables you to recognize the device type.. that doesn't put it on par with a full-fledged profiling solution :)

Guru Elite

Re: CPPM - Differentiating authentication requests coming from iPads

Clearpass allows you to use the manufacturer and/or OS type as a decision variable during authentication.  The controller will assign a different role during association/authentication, but does not offer the rich policy decisionmaking combinations that is available in clearpass.  In addition, ClearPass is multivendor, so WLAN or LAN manufacturers who are not OS-aware can also leverage the the decisionmaking in clearpass that was not available previously.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I

Re: CPPM - Differentiating authentication requests coming from iPads

this sounds like a sales pitch :-)

since DHCP fingerprinting can assign roles it should sofice for me.

 

Guru Elite

Re: CPPM - Differentiating authentication requests coming from iPads


shpapy wrote:

this sounds like a sales pitch :-)

since DHCP fingerprinting can assign roles it should sofice for me.

 


shpapy,

 

It is a sales pitch for whoever needs the solution.  DHCP fingerprinting alone only allows you to change the role of a user based on the OS of the device.  That is good for users like yourself who only want to make a decision based on OS.

 

 If you have to combine it with other things like teacher+ipad,  and student+ipad you need Clear Pass Policy Manager.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I

Re: CPPM - Differentiating authentication requests coming from iPads

so its more like an extended functionality.

got it.

 

Frequent Contributor I

Re: CPPM - Differentiating authentication requests coming from iPads

i have added the following under services-->enfo.

 

This is working now and blocked Samsung S3 and apple devices.

Is this a good way to implement or should I use profiler or a different option, I have full clearpass license.

Any suggestions will be gladly appreciated.

 

3.(Connection:Client-Mac-Vendor EQUALS Murata Manufacturing Co., Ltd.)[Deny Access Profile]
4.(Connection:Client-Mac-Vendor EQUALS Apple, Inc.)

[Deny Access Profile]

Re: CPPM - Differentiating authentication requests coming from iPads

you are doing this on clearpass now, or the controller?

 

because i thought that user derivation (i.e. DHCP finger printing) doesnt work with dot1x? also doesnt the above block iPads too?

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: