Security

last person joined: 14 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

CPPM Role Mapping

This thread has been viewed 7 times

  • 1.  CPPM Role Mapping

    Posted Dec 18, 2018 06:07 PM

    I've got a new CPPM installation that I'm trying to wrap my head around. Our organization also uses Airwatch for device enrollment and control, so CPPM acts pretty much as a gatekeeper and role assigner to the network. 

     

    Anyway, I was looking into some things, and I was wondering if it is possible to do the following: When doing role mapping, is it possible to write rules such that a statement is evaluated against another statement? 

     

    For example, if I write this rule, I'm looking at a rule per serial number in Airwatch.

     

    Type: Endpoint

    Name: Serial Number
    Operator: EQUALS

    Value: SomeSpecificSerialNumber

     

    However, if I could do something that could be written in plain English as "If Endpoint Serial Number EQUALS (RADIUS:IETF User-name)", then I could compare the device-presented username, which in our case is the Serial Number, to the back-end list provided from Airwatch. 

     

    It seems like this should be somewhat simple to accomplish, but I haven't figured out how to compare the output of two expressions. 

     

    Any suggestions?



  • 2.  RE: CPPM Role Mapping

    EMPLOYEE
    Posted Dec 18, 2018 06:10 PM
    Role mapping is designed to tag requests. It’s not really designed to match a single device. What specifically are you trying to achieve?


  • 3.  RE: CPPM Role Mapping

    Posted Dec 18, 2018 06:20 PM

    Well, mostly I'm looking for comprehension and trying to work out what is possible and what is not. 

     

    As to our actual deployment, we're trying to get iPhones provisioned/onboarded/controlled via Airwatch. And we are. 

     

    On the Aruba end, we're just wanting to authenticate devices onto the MDM SSID in as automated a way as possible. As all the data on these iPhones already exists in Airwatch, and good chunk of information is offered as part of the Computed Attributes, I thought maybe I could make some use of it and essentially write a rule that said "If the serial number (preferably being in the cert the device is presenting) is valid in Airwatch, consider it good and stick it in Role X." If that could be accomplished, we'd basically be looking at a one-stop management interface for these iPhones. 

     

    Of course, right now, our Airwatch admin is having quite a time trying to get the devices to present a cert for the EAP-TLS authentication. So that's an obstacle we're working on right now.