Security

Reply

Clearpass Guest Session Management

Hi All,

 

Session management on Clearpass Guest is tied to the clients MAC address which is trivial to spoof. What other methods are there to add more security to guest wireless session management?

 

Cheers

James

Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216 | AMFX #11
---------------------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
Guru Elite

Re: Clearpass Guest Session Management

JrWhitehead,

 

There is not much more that you can ask a guest for besides a password, that would probably be inconvenient.  You could try to check in the endpoint database if the DHCP fingerprint is the same as last time, but how would you handle that if it changed?



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Guru Elite

Re: Clearpass Guest Session Management

The best solution (although not usually feasible) would be creating
accounts for your secure network and doing role mapping on the back end to
separate the users from corporate users / employees.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480

Re: Clearpass Guest Session Management

Is there any way to check if there is more than 1 instance of a MAC address with different IP addresses assigned to each instance?

 

 

Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216 | AMFX #11
---------------------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
Guru Elite

Re: Clearpass Guest Session Management

jrwhitehead,

 

MAC/ARP spoofing in the controller would handle that...



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Re: Clearpass Guest Session Management

Someone is claiming they've got access to a guest network by spoofing a valid clients MAC address.

 

The customer in question has Instant APs.

Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216 | AMFX #11
---------------------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
MVP

Re: Clearpass Guest Session Management

You could set the Active Sessions value to 1 which would only allow 1 MAC address to connect.

 

In addition, upon successful authentication you could write an attribute to the Endpoint entry which identified the device (this would be better if the device has been profiled - add the Clearpass as a DHCP helper). This would be completed under a custom Enforcement profile.

 

You would then amend the service to check that if the device exists in the Endpoint database, the specific attribute matches otherwise invoke the Deny Access Profile. This would provide only allow 1 MAC address to connect and if this was spoofed then the device type details would have to match as well.

 

I have done similar checks before but not this specific use. Test in a lab if you get chance.

David
ACDX #98 | ACMP | ACCP

Re: Clearpass Guest Session Management

Setting the active session value to 1 wouldn't stop the MAC spoofing if the other client had disconnected.

 

I understand what you're saying about checking and writing detail to the endpoint database but not really sure how I would go about doing it!

 

We are profiling devices so there will already be details in the endpoint repository for all devices that have associated.

Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216 | AMFX #11
---------------------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
MVP

Re: Clearpass Guest Session Management

If the Aruba controller is classifying devices you could write the Radius:Aruba:Aruba-Device-Type field into an Endpoint attribute and then create a Enforcement policy that says that the Device Type needs to match the Endpoint attribute.

 

This would be a really basic test (i.e. matching 'Win 7' or 'iPhone') but would add some extra checks,

As I said before I haven't tested this so you would need to lab it up first.

David
ACDX #98 | ACMP | ACCP

Re: Clearpass Guest Session Management

I'm still not sure how to do this. 


I've got the devices in the endpoint repository as I'm profiling devices.

 

I'm just unsure how I would check that a associating client (with MAC xx:xx:xx:xx:xx:xx) device type matches the device type of the endpoint repository entry for the same MAC.

 

I can see the following in the access tracker:

 

Radius:Aruba:Aruba-Device-TypeAndroid

 

This matches the OS family in the Endpoint repository:

 

OS Family
Android
 

 

Can't for the life of me work out how I check if they match though! I think I need some more training!

Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216 | AMFX #11
---------------------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: