Security

Reply
Frequent Contributor I
Posts: 68
Registered: ‎12-07-2015

ClearPass securing devices to a specific application

Hi All,

 

I have ClearPass for OnBoard and OnGuard. It is working great for my 802.1x needs.

 

I have a requirement that we get a specific application working on some android tablets in our various stores so that customers can check out or browse products. They should be segmented out from all other vlan traffic.

 

How can I leverage ClearPass so that it detects that the particular application is in use and puts it on the correct vlan?

 

We will have about 3-400 of these tablets.

 

N

Guru Elite
Posts: 20,582
Registered: ‎03-29-2007

Re: ClearPass securing devices to a specific application

What type of encryption are you using for those tablets? The best way to do what you are looking for is to detect a common username or AD group that the tablets are using to put them into a VLAN. ClearPass Onguard does not have an agent to detect applications on a mobile device. A second option is if you are using mobileiron or some sort of device management for your tablets and you can use Mac authentication to that database to move your mobile devices to that VLAN when they attach...


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Guru Elite
Posts: 8,192
Registered: ‎09-08-2010

Re: ClearPass securing devices to a specific application

You may want to consider Onboarding these devices to a separate "device" CA and leveraging that as part of your policy decision.

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Frequent Contributor I
Posts: 68
Registered: ‎12-07-2015

Re: ClearPass securing devices to a specific application

I was planning on EAP TLS over a mobility controller with tunnel mode back to datacenter.

 

Onboard for certificate provisioning is probably the way to go.

 

So this solution would make these tablets fairly fixed with their security, meaning that if we had another purpose like a staff member going to do inventory with another application it would have to be moved to a different SSID to get the proper access?

Guru Elite
Posts: 20,582
Registered: ‎03-29-2007

Re: ClearPass securing devices to a specific application

If you are using EAP-TLS, you can "authorize" the Common Name or username on the certificate  to AD and you can use that account or the group that account username is in to move it to the correct VLAN.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: