Security

Reply
Occasional Contributor II
Posts: 17
Registered: ‎09-03-2014

ClearPass and AirWatch

We've recently implemented CPPM to manage authentication and authorization on our wireless network.  Now we're proposing to implement AirWatch for management of mobile devices.

 

The challenge is that we need to force the mobile devices to install the AW agent before they are granted full access to the corporate VLAN. 

 

One idea was to use ClearPass to return a specific user role if the device doesn't have the agent installed, where it would then be limited to accessing the agent download pages.  But is it possible to use a captive portal in this case following L2 802.11x authentication?

 

If anyone has done something like this before or has any ideas about how we can achieve this, I'd be very interested to hear more.

Aruba
Posts: 1,368
Registered: ‎12-12-2011

Re: ClearPass and AirWatch

Absolutely!  We do this all the time with single 802.1x SSID onboarding.  If the user doesn't have the agent based on the MDM integration we have with Airwatch, then send back a user role and on the controller, have a captive portal profile pointing to the page you wish to send users to.  Make sure to whitelist any links to allow the download to occur however!

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Aruba
Posts: 1,368
Registered: ‎12-12-2011

Re: ClearPass and AirWatch

Just follow this guide to accomplish this.  It covers single SSID onboarding but applicable to your use case:

 

https://ase.arubanetworks.com/solutions/id/34

 

For MDM, see the EMM integration guide as well here - http://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Default.aspx?EntryId=7961

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Occasional Contributor II
Posts: 17
Registered: ‎09-03-2014

Re: ClearPass and AirWatch

Thanks for your reply.  I have a further question..

 

If we use CP to return a different user role based on whether the client has the AW agent installed or not, how then can we redirect non-AW clients to a captive portal?  As I understand it, once you have authenticated, subsequent traffic does not touch the controller (if configured using bridge mode which we do)?

 

 

Guru Elite
Posts: 8,027
Registered: ‎09-08-2010

Re: ClearPass and AirWatch

Captive portals cannot be used in bridge mode.


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
MVP
Posts: 130
Registered: ‎06-11-2013

Re: ClearPass and AirWatch

If you would need a captive portal with local breakout you should look at the Aruba Instant solution.


ACMX#255 | ACMP | ACCP | AWMP
www.securelink.nl
Regular Contributor I
Posts: 159
Registered: ‎03-03-2011

Re: ClearPass and AirWatch

I have this integration set up and working, checking for jailbroken devices, check in time, etc. 

 

Here's the issue - the requirement to access the corp network is to both be enrolled in Airwatch + OnBoard. You must first install AirWatch then OnBoard (this is how they want the policy). The problem is that CPPM only syncs occasionally to Airwatch. If we set the sync time to anything less that 60 minutes in the cluster wide parameters, the sync fails. 

 

So the user gets stuck in a state of having enrolled in Airwatch and try to connect to the SSID in order to OnBoard, but since CPPM doesn't have the Airwatch attributes yet, they must wait for a sync to occur. 

 

How are others dealing with this?

Regards,

Josh
___________
ACMP, ACCP
MVP
Posts: 130
Registered: ‎06-11-2013

Re: ClearPass and AirWatch

You could allow access for cases where the AirWatch/MDM attributes do *not yet* exist at the related endpoint. You can create a policy for this like:

 

Endpoint:MDM Enabled NOT_EXISTS --> allow access

 

Once the sync is done the MDM-attributes will exist at the endpoint. During re-authentication a different policy will be evaluated which checks for MDM to be enabled etc.

 

I understand this situation is not ideal, but this will make the solution more useable.


ACMX#255 | ACMP | ACCP | AWMP
www.securelink.nl
Search Airheads
Showing results for 
Search instead for 
Did you mean: