Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

CPPM onboard query!

This thread has been viewed 0 times

  • 1.  CPPM onboard query!

    Posted Jun 23, 2015 08:33 AM

    Hi all,

     

    In cppm i can create policy that if a user brings in his Company owned laptop which happens to be windows laptop, enforce a certain policy. What if a user brings another laptop which is not company owned laptop but again is windows based?

     

    What my requirement is that a user should only be allowed to onboard company owned windows laptop and not any other windows laptop? How can we achive this by CPPM without any mac based enforcement(as mac can be easily spoofed).

     

    Thanks.



  • 2.  RE: CPPM onboard query!

    Posted Jun 23, 2015 08:37 AM

    You can do that by Enabling machine authentication, so clearpass will allow access for domain laptop/desktop only.



  • 3.  RE: CPPM onboard query!

    EMPLOYEE
    Posted Jun 23, 2015 08:37 AM

    You can configure company-based laptops to perform machine authentication, and that problem goes away.  Non-company laptops cannot successfuly machine authenticate.



  • 4.  RE: CPPM onboard query!

    Posted Jun 23, 2015 08:44 AM

    Hi colin..thanks for your reply.

     

    Can you please help me where I can enable this setting(enable machine auth) in CPPM.



  • 5.  RE: CPPM onboard query!

    EMPLOYEE
    Posted Jun 23, 2015 08:47 AM
    Machine authentication is a client side configuration. There are some considerations when using machine auth for something like this. Are you working with an Aruba or partner engineer?


    Thanks,
    Tim


  • 6.  RE: CPPM onboard query!



  • 7.  RE: CPPM onboard query!

    Posted Jun 23, 2015 08:52 AM

    Hi Suman, thanks a lot for your reply....the manual creation on SSID profile in end client devices, can we push this configuration from AD to all the end clients or we need to manually create this on each and every device? if yes I would really appreciate if you can help me with the steps for the same.thanks



  • 8.  RE: CPPM onboard query!
    Best Answer



  • 9.  RE: CPPM onboard query!

    EMPLOYEE
    Posted Jun 23, 2015 09:15 AM
    If you have group policy control over these devices, why not push
    certificates down directly instead of going through the Onboard process?


  • 10.  RE: CPPM onboard query!

    EMPLOYEE
    Posted Jun 23, 2015 08:40 AM
    Why not push out certificates via Group Policy? This way you know it is absolutely corporate owned?

    Onboard is really designed for BYOD.


    Thanks,
    Tim