Security

Reply

Clearpass solution question

Hello

We got an school interested in clearpass  which has  3 main objetive

1- Student should be able to selft register  devices themselve, and some kind of notification should arrive to the network admin which should then confirm if  they are okay to get in

2-It should be able to identify if the laptops has a Antivirus or not(Onguard module here i suppose)

3-Smartphones should not be allowed

 

What would be the best approach to do this?

Which modules would fit better?

 

As an additional note, the client does not have an AD for the students, and if its possible they do not want to have one for them.

 

Onguard for the antivirus

And policy manager

I dont know if onboard will fit without AD... or maybe we could use the guest module for this??? with selft registering maybe?

 

Ideas please??

 

Cheers

Carlos

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp

Re: Clearpass solution question

1- Student should be able to selft register  devices themselve, and some kind of notification should arrive to the network admin which should then confirm if  they are okay to get in 

You should be able to do this using Guest / Sponsor approval 

2-It should be able to identify if the laptops has a Antivirus or not(Onguard module here i suppose)

Onguard would allow you to determine whether device has an antivirus or not but you need to take in consideration how what type of agent and how it will be deployed

3-Smartphones should not be allowed

All you need is to add clearpass as a relay to do profiling based on device type and use the endpoint database to then allow access or not if it is a SmartPhone or a Computer 

 

 

Which modules would fit better?

You will need guest , policy manager and onguard for this or bundle it using Enterprise

 

As an additional note, the client does not have an AD for the students, and if its possible they do not want to have one for them.

Are they using 802.1X or just an open SSID ?

 

 

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Guru Elite

Re: Clearpass solution question

What type of identity store are they using if not AD? Surely they have something for email and/or computer access?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480

Re: Clearpass solution question

Those are for the students for their persnoal devices.... they do not have a email or anything.

They want to control somehow the devices the students are bringing, right now they are doing it with mac authentication, and the students have to go to the IT department to add the device to the mac address table.

As you can see this takes a lot of time for them.   They are looking for a way to speed this up.  They also need to check if the Computer has an antivirus.

 

Clearpass can do that automatically, with the onguard , the antivirus check is solved

 

For the selft registration  with cleapass guest solved,  we still  need to know a few things

 

1-With the mac-catching, can i make the students log in only once  and maybe ask them to log again every month or 3 months? or any time the client wants? They asked me if the student will need to log each time they access the network.   They do not want that.

2-Can i limit the number of devices that one user can have? for example one  random student is allowed to have 2 devices  only

 

 

Finally , i know you come from a large university(how did you guys manage this?)  just a small summary would be good if you can.    Maybe you  can give me an example of how its done in big universities.

 

Cheers

Carlos

 

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Guru Elite

Re: Clearpass solution question

1) Yes, you can set whatever "expiration" time you want.

2) If you have some type of user ID to tie the device to, then yes.

 

At most universities, students can register as many devices as they choose and just log in with their username and password. Very few still require posture checks. Many are doing away with registration for 1X capable devices.

 

In terms of licensing, you are better off doing enterprise licenses than doing Onguard and guest separately.

 


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480

Re: Clearpass solution question

Tim

For this point

 

2) If you have some type of user ID to tie the device to, then yes.

 

Can i use the email they use to selft register for this?? i mean for the self registration they will need an email which will be their user and well the password will be randomly created.

 

Cheers

Carlos

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Guru Elite

Re: Clearpass solution question

Yes, but keep in mind, if they want to register more devices, all they have to do is use another email address.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480

Re: Clearpass solution question

Keep in mind also that if they register a with a new unkonwn user IT should know that and willl not give him access to that account.  :)

 

Cheers

Carlos

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp

Re: Clearpass solution question

Tim

Did you guys also used or universities does use Clearpass Guest doing something like this?

 

Or you guys used  onboard and you had the studends on an active directory or something to work with it?  i mean for studend personal devices

 

Cheers

Carlos

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Guru Elite

Re: Clearpass solution question

No guest, no onboard. Just standard PEAP username/password authentication. No registration.

The only thing guest was used for was actual campus guests and non-dot1X device registration (Xboxes, media players, printers, etc)

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: