Security

Reply
Regular Contributor II
Posts: 201
Registered: ‎01-30-2013

Clearpass Identify IOs and Android devices

Guys,

 


I am a little confused on Clearpass service configuration.

I create a service "Acessos 802.1x" to configure two SSid´s with 802.1x.

Its working good as in the screenshots.
When I connect with 802.1x for Enterprise i get a role and when I connect to Protocolo I get other role. This is configured on Clearpass.

Now on the same " Acessos 802.1x" Service,  i need to add one role or policy for  Iphones when they connect via 802.1x( AD) . The objective is to force Iphones to go to a guest role that is in Aruba Controller. not working


Also  I need to add to This 802.1x service a MAC list of authorized PC´s  ( Static list PC´s Protocolo created already). This list is to add to MNE_Protocolo ssid ( only this mac´s listed can connect to the SSId).


Can I do this under Acessos 802.1x service at once?


Acessos 802.1x should have :

enforcement for Iphones or androids to go to guest role
enforcement for  limit access to ssid MNE_Protocolo to a Static mac List.
enforcement for ssid A  to go to role A ( its ok and done)
enforcemente for ssid B to go to role B ( its ok and done)

Frequent Contributor II
Posts: 128
Registered: ‎03-13-2008

Re: Clearpass Identify IOs and Android devices

I would not put all of your ssid’s in a single service.  Yes it can work but now you have less flexibility to make change without affecting all of your SSIDs.  Create a service for each of your SSID’s. You will be happier when something breaks.


Under your service rule change line 3

 Radius:Aruba   Aruba-ESSID-Name    EXISTS

Change to:     

Radius:Aruba    Aruba-ESSID-Name    EQUALS <specific name of the SSID>

 

 

 

Your Services –Accessos 802.1x MNE ENFORCEMENT screen shot

            Line 1: the device type will not begin with iphone it is “Apple Iphone”

Please look at my screen shot iphone policy.

 

Mac filtering. You will need a separate policy for this also.

Are you using a controller? What version of code? There are some differences in how mac authentication works.

You have more than one question on this post lets take it one at a time.


Separate the services out first.

Make changes to your iphone/android

then we can deal with the mac auth request. 

David Dipert
Regular Contributor II
Posts: 201
Registered: ‎01-30-2013

Re: Clearpass Identify IOs and Android devices

Hi ddipert,

 

Thanks for your help..

 

1. Separate the services first

 

You are saying that I should create another 802.1x service for the other SSid? Similar to the one that already exists, but change the radius atribute to "equals" 

 

2. Make changes to your iphone/ android

 

Ok. I will try it. Iwas picking the iPhone expression from radius request on access tracker...

 

 

3. then we can deal with mac auth request

 

I think i solve this one, by enabling mac auth on AAA profile. Its working ok but i need to enter in internal DB 60 mac´s by hand.. Not an issue :)

 

Thanks

 

Regards

 

MVP
Posts: 702
Registered: ‎03-25-2009

Re: Clearpass Identify IOs and Android devices

Please avoid mac auth whenever you can! 

You WILL fail at maintaining it. :P

 

A much better sollution would be to use the endpoint repository which already classifies iphones and other smartdevices.

 

Here's an example of what you could use to give smartdevices a different role without having to keep a list manualy:

 

In your role mapping policy add the following:

(Authorization:[Endpoints Repository]:Category  EQUALS  SmartDevice

 

Then in your enforcement policy add something to use that new role and apply the enforcement profile:

POLICY: (Tips:Role  EQUALS  SmartDevice)

and the attached PROFILE: Radius:ArubaAruba-User-Role = smartdevice-role

 

If you realy want to give only the iphone a different role change the "Category  EQUALS  SmartDevice" to "Device Name EQUALS Apple iPhone".

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Regular Contributor II
Posts: 201
Registered: ‎01-30-2013

Re: Clearpass Identify IOs and Android devices

Hi,
The objective is not for smart devices.
i have a static mac host list created but is for windows PC.

We need to create a ssid and only permit that static list alreaady created in clearpass.
Guru Elite
Posts: 19,983
Registered: ‎03-29-2007

Re: Clearpass Identify IOs and Android devices

[ Edited ]

beconnect wrote:
Hi,
The objective is not for smart devices.
i have a static mac host list created but is for windows PC.

We need to create a ssid and only permit that static list alreaady created in clearpass.

Beconnect,

 

I have to agree strongly with Koenv on this one.  If you have Windows PCs that are part of a domain, you should use machine authentication to differentiate those devices instead of a mac address list.  The post here:  http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Enforce-Machine-Authentication/m-p/58918/highlight/true#M4585 shows you how can do that.

 

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Regular Contributor II
Posts: 201
Registered: ‎01-30-2013

Re: Clearpass Identify IOs and Android devices

Hi,

We have 2 ssids created.

For one of them we need force that only 30 machines mac addresses connect to the wifi.

I create the aruba service but i am missing how i can force clearpass to check whether mac address is valid or not...
Guru Elite
Posts: 19,983
Registered: ‎03-29-2007

Re: Clearpass Identify IOs and Android devices


beconnect wrote:
Hi,

We have 2 ssids created.

For one of them we need force that only 30 machines mac addresses connect to the wifi.

I create the aruba service but i am missing how i can force clearpass to check whether mac address is valid or not...

1. - You need to create two roles within CPPM that would apply to each situation.  Go to Identity> Roles to create both.

2. - In your service, you need to create a role mapping policy that checks to see if the user's mac address belongs to that static host list AND is connecting using that SSID.  In the example below, the role mapping policy checks to see if the calling-station-ID (incoming mac address) is in the static host list "authorized-mac-addresses" and the SSID that the user is connecting to is "Thatssid".  If both of those situations exist, it tags the incoming authentication with the role of "Role-1"

role.png

 

3.  Later in your enforcement policy you can check to see if the user's authentication is classified with the CPPM role of Role-1, you permit them with the Radius Allow access profile:

 

enforce.png

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Regular Contributor II
Posts: 201
Registered: ‎01-30-2013

Re: Clearpass Identify IOs and Android devices

Hi

Thanks for your explanations;)
Ssid was already created, I just need separate two services for two different ssids. I was just missing what role to create to check macs that belong to the static list on the clearpass;)

One service has a policy to an ssid and then authenticated role.

Other service has a policy going to another ssid and only permits the static host list

Nice. I will try tomorrow:) and let you guys know.
Regular Contributor II
Posts: 201
Registered: ‎01-30-2013

Re: Clearpass Identify IOs and Android devices

Hi,

 

I create two rules under service and all is working ok.

 

I don´t have the need to create role mappings or policies...

 

I just create directly under de service and its working.

 

For one ssid with does mac control and essid check.

 

For the other only checks for essid name

 

IS this correct ?

 

Regards

Search Airheads
Showing results for 
Search instead for 
Did you mean: