Security

Reply
EP
Occasional Contributor II
Posts: 41
Registered: ‎05-05-2013

Controller, Captive Portal, ClearPass, AppleTv Question

Hello's

Here is the situ.

Controller based Environment. Captive portal that uses ClearPass as the AAA server. Users bring their AppleTv's to the environment and associate to this SSID. Here are my challenges/qustions.

 

1) Association to the Captive Portal SSID gives you a limited access initial role. We want the AppleTv's to associate to this SSID and immediately transition to the Guest Role.

 

2) To this effect, I thought that I could enable the user population as users of ClearPass. They log in with their AD credentials and Create Device/register their AppleTv's. Once they do this, if the AppleTv associates to the Captive Portal SSID it should immediately transition to the Guest role. A requirement is that I should be able to see that AppleTV "ABC "belongs to user "XYZ." By the user registering the device i can querry CP and see who owns the device.

 

Is this possible? I'm getting conflicting responses and all trials have failed on my end.

thanks for your time,

Sky. 

 

Guru Elite
Posts: 8,460
Registered: ‎09-08-2010

Re: Controller, Captive Portal, ClearPass, AppleTv Question

Yes you can do this.

 

You'll need to add the "Guest Device Repository" as an authentication source on your guest MAC authentication service and then add a rule to the enforcement policy that returns the correct role for the AppleTV.

 

The username will need to match exactly (including email domain) for users to be able to see their own devices. For example, cappalli and cappalli@brandeis.edu are different usernames and will not be able to see each others personal devices.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
EP
Occasional Contributor II
Posts: 41
Registered: ‎05-05-2013

Re: Controller, Captive Portal, ClearPass, AppleTv Question

Thanks for your quick response.

 

How do the users register their devices using CP because my problem here is the AppleTV does not have a GUI for the user to enter their username and password. All  they can do is associate to the SSID. 

 

So my thought was they have to register it by logging into CP as a limited Operator with certain rights. And from your Email i'm assuming that by creating this device in CP it should end ip in the Guest Device Repository and thus allow the device to transition from initial role to authenticated role

 

thanks 

Guru Elite
Posts: 8,460
Registered: ‎09-08-2010

Re: Controller, Captive Portal, ClearPass, AppleTv Question

They would register the MAC address of the Apple TV using the device registration screen and clicking the "Enable AirGroup" button.

 

douggiefresh3.PNG


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
EP
Occasional Contributor II
Posts: 41
Registered: ‎05-05-2013

Re: Controller, Captive Portal, ClearPass, AppleTv Question

Tim,

Many thanks for your response. What is confusing about this is Aruba Support told me this was not possible and this after being on the phone with the for hours told me "not doable".

 

If i may ask, what version of CP are you running? I'm running ver 6.3.0.6.0730. When i click on Create Device i don't have the "Enable AirGroup" check. See attached file.

 

 

Guru Elite
Posts: 8,460
Registered: ‎09-08-2010

Re: Controller, Captive Portal, ClearPass, AppleTv Question

[ Edited ]

I'm running 6.3.1.

 

I had that issue on a test system with 6.3.0 where the AirGroup box wasn't there. Contact TAC. 


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
EP
Occasional Contributor II
Posts: 41
Registered: ‎05-05-2013

Re: Controller, Captive Portal, ClearPass, AppleTv Question

Tim,

thanks much for your help. I was getting very worried there after my TAC call. I'll call back in get things sorted out.

thanks again,

Sky.

Search Airheads
Showing results for 
Search instead for 
Did you mean: