07-14-2014 08:55 AM
One of the reasons we bought clearpass was to allow our staff to self register their "employee owned" devices. In this case, we don't purchase mobile phones or tablet for the staff, but allow them to use their devices.
Our understanding (i.e sales pitch) from Aruba was that we would be able to limit our staff to registering one iphone and one ipad per employee. The reason for this was employees would regularly purchase new phones and not tell us about it, and just join them to our staff wifi network (leaving the old one credentialed as well). :(
To get around that, we started manually entering mac addresses into the internal database of the Aruba controller so that the staff would at least have to bring us their new devices before they could get on the network. Functional, but a headache for IT staff.
The goal for clearpass was to have staff go to a portal page and register their own devices... All of this is working BUT we can't seem to find a way to limit it to one iPhone and one iPad. It seems to see them both as iOS devices and makes no distinction, which really defeats the purpose if someone can add their old AND new iphone to the system.
Any ideas on how to make this work?
07-14-2014 02:13 PM
1. Onboard the device
2. Pull the information down from an MDM.
CPPM can profile the device and limit by saying you are only allowed 2 IOS devices but it can't tell the type by just the fingerprint. Apples finger print is very limited and you would need an advance profile from one of the above two to limit type of device.
--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.
--Problem Solved? Click "Accepted Solution" in a post.
07-14-2014 02:25 PM
So basically, even though I paid for the product to do a specific purpose (I didn't buy the EVEN MORE EXPENSIVE licenses for onboarding), it won't do the job that I specifically asked for it to do. Sigh... typical sales.
You would think that if this product is designed to simplify the BYOD process... limiting an employee to a single phone might be something that is included in the product.
But alas, this is what I've come to expect from Aruba. I'll call our sales rep and see if we can't get a refund for this expensive waste of money.
07-14-2014 02:26 PM
Oh... and how come the Aruba controller can tell the difference between an ipad and an iphone? Seems like it's possible, it's just that clearpass can't do it. And it doesn't seem like that's apple's fault.
07-14-2014 02:28 PM
There may be a way to do what you're asking but it's sloppy.
The controller can see device type because it is in the datapath and can read the http headers. ClearPass is not an inline device.
Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP