Security

Reply
Frequent Contributor I
Posts: 99
Registered: ‎08-31-2016

Clearpass Profiling Device Access

I have a setup I've been requested to implement, but I'm not sure if it's possible, or if it is possible, how to combine the components.

 

Based on the type of device connecting to a single SSID, different authenticataion methods should occur. If connecting on a laptop/computer, then authenticate via 802.1x (eap-peap) against AD. If connecting on a company issued smartphone, authorize via MAC addressing. Connecting on a smartphone needs to be seamless from the viewpoint of the user.

 

I can do 802.1x Authentication, and I can get MAC address Authentication, and detect device types with profiling, but I'm unsure on how to combine these to get the requested implementation.

 

As a side note, I expect that the mobile devices will end up being placed on a different vlan from laptops.

 

Thank you for any insight

Guru Elite
Posts: 8,759
Registered: ‎09-08-2010

Re: Clearpass Profiling Device Access

How will you be authorizing MAC addresses?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I
Posts: 99
Registered: ‎08-31-2016

Re: Clearpass Profiling Device Access

Hi Tim,

 

We're going over two options for MAC authentication. 

 

Likely we will manually import our list of devices and their MAC Addresses to the endpoints in Clearpass.

 

Alternatively, we have MobileIron deployed to all our devices. I'd like to find a way to use that as the endpoint context server, and to have it supply the MAC addresses for authentication (havent researched into this option thoroughly).

 

 

Guru Elite
Posts: 8,759
Registered: ‎09-08-2010

Re: Clearpass Profiling Device Access

OK. Either way would work. I'd recommend instead of using the endpoints
database in #1, use the Guest Device Repository for MAC whitelisting. It
provides much more functionality.



In either situation, once 802.1X authentication succeeds, you can proceed to
the authorization phase using the MAC address (and associated) data to
authorize the user.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I
Posts: 99
Registered: ‎08-31-2016

Re: Clearpass Profiling Device Access

Thank you for the suggestion on the Guest Device Repository, I'll look into it.

For the implementation, the client only wants 802.1X authentication on laptops when connecting to the SSID, they don't require MAC authorization for the laptops. However for mobile devices they don't want 802.1x, and only have MAC authentication. This is where I'm having trouble, understanding how to have the access rules differentiate based on device profiling, making sure the two rules don't impact each other.

 

Guru Elite
Posts: 8,759
Registered: ‎09-08-2010

Re: Clearpass Profiling Device Access

You would need two SSIDs then.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I
Posts: 99
Registered: ‎08-31-2016

Re: Clearpass Profiling Device Access

Then as a last question, Is there any method in clearpass available to choose different authentication/authorization procedures based on the type of device connecting (without multiple SSIDs)?

Guru Elite
Posts: 8,759
Registered: ‎09-08-2010

Re: Clearpass Profiling Device Access

No. It's not a ClearPass thing. It's an encryption/standards limitation.. An
SSID cannot service both 802.1X and non-802.1X clients.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I
Posts: 99
Registered: ‎08-31-2016

Re: Clearpass Profiling Device Access

Thank you for the clarity, I'll take a look into the Guest Device Repository still for future implementations.

Frequent Contributor I
Posts: 99
Registered: ‎08-31-2016

Re: Clearpass Profiling Device Access

[ Edited ]

 

 

I'd like to change the persepective of the approach on this implementation, as MAC authentication won't work in this setup.

 

We have domain laptops connecting to the 802.1X SSID, that authenticate and authorize against AD(EAP-PEAP).

Company issued Smartphones are to be able to connect to this same SSID, but we don't want users to have to enter in their AD credentials on their phones. What would the best option be to have smartphones authenticate on this SSID, while not effecting the way domain laptops are currently connecting? My first Idea would be certificate authentication.

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: