Security

Reply
New Contributor
Posts: 4
Registered: ‎11-10-2012

CPPM - Differentiating authentication requests coming from iPads

As one part of a simple ClearPass solution I'm trying to implement, my customer is requesting a "BYOD" SSID that will allow any unknown devices to connect, given proper AD credentials.  However:

 

- laptops must also pass the OnGuard java applet checks (no problem)

- iPads must be allowed on the same SSID (?)

 

I know this could be taken care of using the Onboard solution but the customer does not want Onboard or Profile.  I need to find a method to differentiate the access requests coming from iPads so they can bypass the applet as it is not supported by iOS.  One idea I wanted to try was to just allow access if the authentication method was EAP-TLS.  What I've read so far tells me that this would require TLS certificate provisioning on the iPad prior to authentication.  Is there a more simple solution I'm missing for the CPPM to just recognize an iPad sourced request?

New Contributor
Posts: 4
Registered: ‎11-10-2012

Re: CPPM - Differentiating authentication requests coming from iPads

Nevermind.  I just learned about DHCP Fingerprinting from the Aruba VRD webpage.

Frequent Contributor I
Posts: 85
Registered: ‎10-17-2012

Re: CPPM - Differentiating authentication requests coming from iPads

Hi,

If we can do dhcp fingerprint in the controller what is the point to have clearpass?

Besides the guest provisioning part?

I was under the impression that blocking end-point devices should be done using the profiler in the clearpass.

 

New Contributor
Posts: 4
Registered: ‎11-10-2012

Re: CPPM - Differentiating authentication requests coming from iPads

Matching the fingerprint just enables you to recognize the device type.. that doesn't put it on par with a full-fledged profiling solution :)

Guru Elite
Posts: 20,015
Registered: ‎03-29-2007

Re: CPPM - Differentiating authentication requests coming from iPads

Clearpass allows you to use the manufacturer and/or OS type as a decision variable during authentication.  The controller will assign a different role during association/authentication, but does not offer the rich policy decisionmaking combinations that is available in clearpass.  In addition, ClearPass is multivendor, so WLAN or LAN manufacturers who are not OS-aware can also leverage the the decisionmaking in clearpass that was not available previously.

 

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Frequent Contributor I
Posts: 85
Registered: ‎10-17-2012

Re: CPPM - Differentiating authentication requests coming from iPads

this sounds like a sales pitch :-)

since DHCP fingerprinting can assign roles it should sofice for me.

 

Guru Elite
Posts: 20,015
Registered: ‎03-29-2007

Re: CPPM - Differentiating authentication requests coming from iPads


shpapy wrote:

this sounds like a sales pitch :-)

since DHCP fingerprinting can assign roles it should sofice for me.

 


shpapy,

 

It is a sales pitch for whoever needs the solution.  DHCP fingerprinting alone only allows you to change the role of a user based on the OS of the device.  That is good for users like yourself who only want to make a decision based on OS.

 

 If you have to combine it with other things like teacher+ipad,  and student+ipad you need Clear Pass Policy Manager.

 

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Frequent Contributor I
Posts: 85
Registered: ‎10-17-2012

Re: CPPM - Differentiating authentication requests coming from iPads

so its more like an extended functionality.

got it.

 

Frequent Contributor I
Posts: 85
Registered: ‎10-17-2012

Re: CPPM - Differentiating authentication requests coming from iPads

i have added the following under services-->enfo.

 

This is working now and blocked Samsung S3 and apple devices.

Is this a good way to implement or should I use profiler or a different option, I have full clearpass license.

Any suggestions will be gladly appreciated.

 

3.(Connection:Client-Mac-Vendor EQUALS Murata Manufacturing Co., Ltd.)[Deny Access Profile]
4.(Connection:Client-Mac-Vendor EQUALS Apple, Inc.)

[Deny Access Profile]

MVP
Posts: 1,392
Registered: ‎11-30-2011

Re: CPPM - Differentiating authentication requests coming from iPads

[ Edited ]

you are doing this on clearpass now, or the controller?

 

because i thought that user derivation (i.e. DHCP finger printing) doesnt work with dot1x? also doesnt the above block iPads too?

Search Airheads
Showing results for 
Search instead for 
Did you mean: