Security

Reply
Contributor I
Posts: 30
Registered: ‎08-21-2007

Clearpass mactrac - limit users to one iphone and one ipad

Guys,

One of the reasons we bought clearpass was to allow our staff to self register their "employee owned" devices.  In this case, we don't purchase mobile phones or tablet for the staff, but allow them to use their devices.

 

Our understanding (i.e sales pitch) from Aruba was that we would be able to limit our staff to registering one iphone and one ipad per employee.  The reason for this was employees would regularly purchase new phones and not tell us about it, and just join them to our staff wifi network (leaving the old one credentialed as well). :(

 

To get around that, we started manually entering mac addresses into the internal database of the Aruba controller so that the staff would at least have to bring us their new devices before they could get on the network.  Functional, but a headache for IT staff.  

 

The goal for clearpass was to have staff go to a portal page and register their own devices...  All of this is working BUT we can't seem to find a way to limit it to one iPhone and one iPad.  It seems to see them both as iOS devices and makes no distinction, which really defeats the purpose if someone can add their old AND new iphone to the system.

 

Any ideas on how to make this work?

Scott Miller
Aruba
Posts: 1,534
Registered: ‎06-12-2012

Re: Clearpass mactrac - limit users to one iphone and one ipad

The only way to limit to a specific OS

1. Onboard the device
2. Pull the information down from an MDM.

CPPM can profile the device and limit by saying you are only allowed 2 IOS devices but it can't tell the type by just the fingerprint. Apples finger print is very limited and you would need an advance profile from one of the above two to limit type of device.
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Contributor I
Posts: 30
Registered: ‎08-21-2007

Re: Clearpass mactrac - limit users to one iphone and one ipad

So basically, even though I paid for the product to do a specific purpose (I didn't buy the EVEN MORE EXPENSIVE licenses for onboarding), it won't do the job that I specifically asked for it to do.  Sigh... typical sales.

 

You would think that if this product is designed to simplify the BYOD process... limiting an employee to a single phone might be something that is included in the product. 

 

But alas, this is what I've come to expect from Aruba.  I'll call our sales rep and see if we can't get a refund for this expensive waste of money.

Scott Miller
Contributor I
Posts: 30
Registered: ‎08-21-2007

Re: Clearpass mactrac - limit users to one iphone and one ipad

Oh... and how come the Aruba controller can tell the difference between an ipad and an iphone?  Seems like it's possible, it's just that clearpass can't do it.  And it doesn't seem like that's apple's fault.

 

Scott Miller
Guru Elite
Posts: 7,991
Registered: ‎09-08-2010

Re: Clearpass mactrac - limit users to one iphone and one ipad

What code are you running on your controllers?

There may be a way to do what you're asking but it's sloppy.

The controller can see device type because it is in the datapath and can read the http headers. ClearPass is not an inline device.

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Contributor I
Posts: 30
Registered: ‎08-21-2007

Re: Clearpass mactrac - limit users to one iphone and one ipad

We are running 6.3.1.5 on the Aruba controller and the latest patch (Cumulative Patch 4 for 6.3.x) on Clearpass

Scott Miller
Search Airheads
Showing results for 
Search instead for 
Did you mean: