Security

I have a setup I've been requested to implement, but I'm not sure if it's possible, or if it is possible, how to combine the components.

 

Based on the type of device connecting to a single SSID, different authenticataion methods should occur. If connecting on a laptop/computer, then authenticate via 802.1x (eap-peap) against AD. If connecting on a company issued smartphone, authorize via MAC addressing. Connecting on a smartphone needs to be seamless from the viewpoint of the user.

 

I can do 802.1x Authentication, and I can get MAC address Authentication, and detect device types with profiling, but I'm unsure on how to combine these to get the requested implementation.

 

As a side note, I expect that the mobile devices will end up being placed on a different vlan from laptops.

 

Thank you for any insight

How will you be authorizing MAC addresses?

Hi Tim,

 

We're going over two options for MAC authentication. 

 

Likely we will manually import our list of devices and their MAC Addresses to the endpoints in Clearpass.

 

Alternatively, we have MobileIron deployed to all our devices. I'd like to find a way to use that as the endpoint context server, and to have it supply the MAC addresses for authentication (havent researched into this option thoroughly).

 

 

OK. Either way would work. I'd recommend instead of using the endpoints
database in #1, use the Guest Device Repository for MAC whitelisting. It
provides much more functionality.



In either situation, once 802.1X authentication succeeds, you can proceed to
the authorization phase using the MAC address (and associated) data to
authorize the user.

Thank you for the suggestion on the Guest Device Repository, I'll look into it.

For the implementation, the client only wants 802.1X authentication on laptops when connecting to the SSID, they don't require MAC authorization for the laptops. However for mobile devices they don't want 802.1x, and only have MAC authentication. This is where I'm having trouble, understanding how to have the access rules differentiate based on device profiling, making sure the two rules don't impact each other.

 

You would need two SSIDs then.

Then as a last question, Is there any method in clearpass available to choose different authentication/authorization procedures based on the type of device connecting (without multiple SSIDs)?

No. It's not a ClearPass thing. It's an encryption/standards limitation.. An
SSID cannot service both 802.1X and non-802.1X clients.

Thank you for the clarity, I'll take a look into the Guest Device Repository still for future implementations.

 

 

I'd like to change the persepective of the approach on this implementation, as MAC authentication won't work in this setup.

 

We have domain laptops connecting to the 802.1X SSID, that authenticate and authorize against AD(EAP-PEAP).

Company issued Smartphones are to be able to connect to this same SSID, but we don't want users to have to enter in their AD credentials on their phones. What would the best option be to have smartphones authenticate on this SSID, while not effecting the way domain laptops are currently connecting? My first Idea would be certificate authentication.

 

Are you managing your company-owned smartphones with an MDM?



Also, have you reached out to your ClearPass partner?

Yes, we are using MobileIron as our MDM. 

 

I haven't been able to reach out to our partner yet, I'm unsure what assistance they can provide(haven't reached out to them before)

MobileIron can push down network configurations to the devices.

 

 

How will I then setup authentication in clearpass for mobile devices connecting to this SSID? I would need to make another service for this, but won't I get denied access on either mobiles or laptops based off the order of the services? also would I not still need AD to authenticate against, or am I misunderstanding where I can just use the clearpass cert to authenticate.

 

Thank you very much for your assistance Tim

 

 

The user's AD credentials would be used. Alternatively, you could issue
certs to each device via MobileIron. You can use the same service. You'd
leverage the MDM data from MobileIron as your authorization data.

We'll avoid having user's enter in their AD credentials on their phones, so I've added MobileIron as an endpoint context server, but I don't see how to utilize it in clearpass for authorization. Do you know of a guide or instructions I could use to have the MDM to auth for 802.1x?

So you're going to push down the EAP-PEAP 802.1X profile through MobileIron?

 

In terms of using the MDM context, there are a bunch of attributes you can use in your policy decision. Below is an example. If you look at an MDM endpoint in the endpoints repository, you'll see all of the normalized attributes that synced down from MobileIron that are available for use.