Security

Reply
Contributor I
Posts: 30
Registered: ‎08-21-2007

Clearpass BYOD deployment - Needed best practices

[ Edited ]

We are very new to clearpass.  We know that it will do a ton, but to start this is really all we want it to do...  All advice is appreciated.

 

We have a network for staff owned mobile devices.  Right now, they bring us their new toy and we enter the mac address in an internal db on the Aruba controller.  Simple, but time consuming. 

 

What we want clearpass to do is this. 

User brings device on campus  -->  Attempts to join the staffmobile network (currently connected via Radius 802.1x i.e. they get prompted for AD credentials and get a certificate delivered to them once their device mac has been added by us manually).   

 

We want them to be prompted for a screen pop upon attempting to join the staffmobile network where they have the opportunity to add their device, after authenticating to AD via the clearpass portal.  Once the device is added, they are good to go.

 

Right now this is what is happening...  User connects device to staffmobile -->  prompted for username and password -->  get the certificate pushed and they accept. -->  They get an ip, but can't browse anything -->  No screen pops, but if they eventually try to use a browser on the device, it redirects them to the clearpass guest "Operator Login" screen.  -->  They have to enter their AD credentials AGAIN...and log in.  At this point they can register the device. 

 

It seems like this is harder than it needs to be.  What are we doing wrong here?  Does the network still need to be 802.1x if we are doing mac addr authentication?  Would an open network cause the devices to screen pop automatically?

 

And even then, we don't know how to customize the screens.  Ugh.  So much stuff to learn.  Powerful, but not easy.

Thanks for any help you can provide.

EDIT (I guess this means we are using the MacTrac functionality, although I can't honest tell how to determine that vs. regular guest access)

 

 

Scott Miller
Super Contributor II
Posts: 390
Registered: ‎09-05-2012

Re: Clearpass BYOD deployment - Needed best practices

What is issuing the cert for your users devices? Are you using Aruba Onbard?

Frequent Contributor II
Posts: 251
Registered: ‎09-14-2011

Re: Clearpass BYOD deployment - Needed best practices

New to Clearpass too. Looking forward to hearing more about best practices as well...

Scott McNeil - IT Specialist, Global Process Automation
Network+ | CWNA | CWTS | ACSP | ACMP | ACMA | BREC
Guru Elite
Posts: 21,504
Registered: ‎03-29-2007

Re: Clearpass BYOD deployment - Needed best practices


watermarkgeek wrote:

We are very new to clearpass.  We know that it will do a ton, but to start this is really all we want it to do...  All advice is appreciated.

 

We have a network for staff owned mobile devices.  Right now, they bring us their new toy and we enter the mac address in an internal db on the Aruba controller.  Simple, but time consuming. 

 

What we want clearpass to do is this. 

User brings device on campus  -->  Attempts to join the staffmobile network (currently connected via Radius 802.1x i.e. they get prompted for AD credentials and get a certificate delivered to them once their device mac has been added by us manually).   

 

We want them to be prompted for a screen pop upon attempting to join the staffmobile network where they have the opportunity to add their device, after authenticating to AD via the clearpass portal.  Once the device is added, they are good to go.

 

Right now this is what is happening...  User connects device to staffmobile -->  prompted for username and password -->  get the certificate pushed and they accept. -->  They get an ip, but can't browse anything -->  No screen pops, but if they eventually try to use a browser on the device, it redirects them to the clearpass guest "Operator Login" screen.  -->  They have to enter their AD credentials AGAIN...and log in.  At this point they can register the device. 

 

It seems like this is harder than it needs to be.  What are we doing wrong here?  Does the network still need to be 802.1x if we are doing mac addr authentication?  Would an open network cause the devices to screen pop automatically?

 

And even then, we don't know how to customize the screens.  Ugh.  So much stuff to learn.  Powerful, but not easy.

Thanks for any help you can provide.

EDIT (I guess this means we are using the MacTrac functionality, although I can't honest tell how to determine that vs. regular guest access)

 

 


You should probably open a case with support to see what you are doing wrong.  It seems like you are on the right track and the redirect to register should happen after we find out the user is not a registered device.  The user should have to open a browser to make that happen, though.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: