05-10-2016 05:52 PM
Hi. We are a K-12 school district in NC that has had ClearPass recently setup by our Aruba vendor. A big reason we purchased ClearPass was to block student phones from our network. Rules and roles were created by our vendors engineer to accomplish this with DHCP fingerprinting. The device type is profiled (Smart Device; Apple iPhone, Samsung Android, etc) and rules are created to send these devices to a blocked phone role. A Deny_Device role is setup on the IAP virtual controller to deny all services to any iPhone or Android phone. In our testing lab we saw this successfully work and saw that phones from multiple vendors were in fact blocked. We began rolling this out to one of our middle schools this week and are finding that some iPhone and Android phones can connect, get a valid IP and get out to the internet and get a role that allows them on the network while other phones get the deny_device role, get an invalid IP and are blocked like they should be. Can anyone lend any assistance as to why some phones are blocked and some are not? Thank you.
05-10-2016 05:56 PM
05-10-2016 06:04 PM
Please post some screenshots of your enforcement policy and also please show
us an access tracker request for one of the devices that was allowed on.
@timcappalli I will post some screenshots of the the enforcement policy ASAP. For now, here are two screenshots. One is from a iPhone that was blocked and one was from an iPhone that was allowed on. Thanks!
05-10-2016 06:06 PM
05-11-2016 04:59 AM
The device being allowed on is profile as "iOS Device" not iPhone. Once we see your enforcement policy (and also post your role map), we can make a recommendation.
Attached are screenshots of our enforcement policy and role mappings. I've also included a screenshot of two different Samsung Android phones. One gets blocked and one gets through. You can see one gets the blocked_phone_role and the other gets the HCS-Teacher role and allowed on the network. Both have the same profile of SmartDevice / Android / Android. Thanks for any assistance.
05-11-2016 06:57 AM
Couple of comments.
1) You should do one combined role map for your 802.1X service that is a match any and then reference the TIPS roles in your enforcement policy. This role map would include identity portions from AD as well as your device tagging. You want to avoid doing this in your enforcement policy. Here's a quick example:
Your enforcement would then simply say:
Tips Role EQUALS DEVICE_SMARTPHONE
Connection: Client-Mac-Address NOT_BELONGS_TO_GROUP HCS-AllowedPhones
Deny Role enforcement profile
2) Since you're using device type as a critical decision maker, you need to enable profiling in the service and create a new enforcement rule for something that isn't profiled.
- In your service, click the Profile Endpoints check box, then go to the Profiler tab, select SmartDevice from the drop down and then click Save.
- On your controller create a new role called PROFILE. This role should only allow DHCP. Create a new enforcement profile referencing that role name using the Aruba-User-Role VSA. Now in your enforcement policy, create a new rule at the top that reads:
Authorization:[Endpoints Repository] Category NOT_EXISTS, <your-"PROFILE"-enforcement-profile>
3) Just curious, are all 3 of your DCs in the same domain? If so, why are you checking group membership for each DC? You should have just one AD auth source per domain.
05-11-2016 08:03 AM
I am working with Jeremy to resolve this issue. I think I follow what you are trying to do but I have some questions about how to go about it with what is already built.
1. There is already a role mapping policy in place that defines roles based on user groups in AD. How would I add the additional conditions for defining all the smartphones as DEVICE_SMARTPHONE? Can I just add the conditions to the existing policy?
2. Endpoint profiling is enabled in the service and user VLANs have added the CPPM server as an IP helper to assist with the profiling of the devices. However, I am at a loss as to why in one instance the same iPhone can be profiled as a SmartDevice\Apple\Apple iOS device yesterday and today it is profiled as SmartDevice\Apple\ Apple iPhone. This is what is causing the most havoc right now.
3. I followed suggestion #2 and changed the Endpoint Classification setting to SmartDevice, created the Profile role on the Instant VC and allowed only DHCP. I have added an Enforcement Profile called HCS_Profile-Device and edited the Enforcement Policy to include a top line condition that states Authorization:[Endpoints Repository] Category: NOT_EXISTS and then added the HCS_Profile_Device enforcment profile.
Thanks for your input on this.
It is confusing in that the conditions worked in a test environment but now that it is live we are seeing conflicting situations. In one instance two devices get profiled as SmartDevice\Android\Android and appear to be identical but one gets blocked and the other is allowed on. The same with iPhones where they both get SmartDevice\Apple\Apple iPhone and one gets blocked but the other is allowed. on.
Sr. Network Engineer - SecurEdge Networks
ACMP / ACDX / AWMP
05-11-2016 08:10 AM
Also a little bit of background on what the customer is trying to achieve;
1 - They want to allow whitelisted SmartDevices (teacher and staff mobile phones) but block any that are not whitelisted.
2 - They are a primarily an all Chromebook environment which appear to be profiled as SmartDevice\Linux\ChromeOS. However, they do have iPads and iPod Touch devices in some schools that need to be allowed.
3 - For their Windows and Mac domain joined machines they want to auth and derive user roles from AD group membership.
4 - They are using Instant APs in their middle schools and controllers at their high schools.
5 - They are currently on CPPM version 188.8.131.52015
Thanks again for the input and suggestions.
Sr. Network Engineer - SecurEdge Networks
ACMP / ACDX / AWMP