10-25-2016 08:23 AM
I have a setup I've been requested to implement, but I'm not sure if it's possible, or if it is possible, how to combine the components.
Based on the type of device connecting to a single SSID, different authenticataion methods should occur. If connecting on a laptop/computer, then authenticate via 802.1x (eap-peap) against AD. If connecting on a company issued smartphone, authorize via MAC addressing. Connecting on a smartphone needs to be seamless from the viewpoint of the user.
I can do 802.1x Authentication, and I can get MAC address Authentication, and detect device types with profiling, but I'm unsure on how to combine these to get the requested implementation.
As a side note, I expect that the mobile devices will end up being placed on a different vlan from laptops.
Thank you for any insight
Solved! Go to Solution.
10-25-2016 08:38 AM
We're going over two options for MAC authentication.
Likely we will manually import our list of devices and their MAC Addresses to the endpoints in Clearpass.
Alternatively, we have MobileIron deployed to all our devices. I'd like to find a way to use that as the endpoint context server, and to have it supply the MAC addresses for authentication (havent researched into this option thoroughly).
10-25-2016 08:41 AM
database in #1, use the Guest Device Repository for MAC whitelisting. It
provides much more functionality.
In either situation, once 802.1X authentication succeeds, you can proceed to
the authorization phase using the MAC address (and associated) data to
authorize the user.
10-25-2016 08:51 AM
Thank you for the suggestion on the Guest Device Repository, I'll look into it.
For the implementation, the client only wants 802.1X authentication on laptops when connecting to the SSID, they don't require MAC authorization for the laptops. However for mobile devices they don't want 802.1x, and only have MAC authentication. This is where I'm having trouble, understanding how to have the access rules differentiate based on device profiling, making sure the two rules don't impact each other.
10-25-2016 09:12 AM
Then as a last question, Is there any method in clearpass available to choose different authentication/authorization procedures based on the type of device connecting (without multiple SSIDs)?
10-25-2016 09:15 AM
10-25-2016 10:31 AM - edited 10-25-2016 12:13 PM
I'd like to change the persepective of the approach on this implementation, as MAC authentication won't work in this setup.
We have domain laptops connecting to the 802.1X SSID, that authenticate and authorize against AD(EAP-PEAP).
Company issued Smartphones are to be able to connect to this same SSID, but we don't want users to have to enter in their AD credentials on their phones. What would the best option be to have smartphones authenticate on this SSID, while not effecting the way domain laptops are currently connecting? My first Idea would be certificate authentication.