Security

               We have a requirement where only the trusted mobile devices should be allowed into network. Wifi username and password along with mac address should be verified. Wifi username is tied up with particular mac address. Same wifi user id cannot be used someother personal mobiles or trusted devices not allocated to him.

 

For eg,

Wifiuser1 is associated with mac1. Wifiuser1 can only log into the mobile device with the mac address mac1. He cannot log into other mobile devices.

 

How to do the dual verification (username with pass, mac address) in CPPM? I can pass the mac-address over calling station id & verify against mac address database. However, it will allow the user to log into any trusted device.

You should consider using certificate-based authentication. Using a MAC address for secure authentication is a very bad idea.

Can I combine user + mac address authentication for a system?.  for eg, user1 can log into only system with mac address1. User1 should not log into any of the other systems wifi which has mac address mac2 or mac3 or something else.

 

 

We dont have centralized PKI in the network. Hence, We dont want to do that.

MAC address can be used as part of authorization after successful user authentication.

You can register devices via Device Registration portal and add the authorized user as the “sponsor”. Then do a compare during authorization.

 

We need user to mac address mapping in such a way that an user(user1) can use only one machine address (mac1).

 

If we implement as you mentioned in your way, there will be a pool of mac addresses in database, any user can log into any device.

 

We want to lock the user to only one device he is assigned to use.

 

 

 

No. Like I mentioned, you’d put the “authorized” user as the sponsor name and then in your policies, you’d verify that the authenticating username matches the device record.

Just a heads up, all of this can be easily spoofed by any user. You should consider using certificates.

Are the mobile devices smart phones and tablets or laptops? If they are smart phones and tablets then follow what @cappalli recommends! If they are laptops that are joined to a domain there might be a way to tie a laptop to a specific user.


#AirheadsMobile

Hi Arubabeginner,

 

Yes this is possible. You need to add Endpoint repository (Local SQL DB) as authorization source and policy condition are as below

 

Type : Endpoint

Name : Username

Operator : Equals

Value : %{Authentication:Username}

 

and assign desire enforcement profile.

 

You can validate Username which bind with Mac address from Enpoint repository by just click on one of listed mac address. It will show  you bind user name(attribute) for mac address.

 

Regards,

Milind Yashwantrao

It's recommended to use the Device Registration portal, not the endpoint repository...

Hi Cappalli,

 

If we use device registration portal(I assume guest device repository) then user can authenticate by using any mac address which available in guest device repository but arubabiggnier has already mentioned his requirement with example as below

 

 

For eg,

Wifiuser1 is associated with mac1. Wifiuser1 can only log into the mobile device with the mac address mac1. He cannot log into other mobile devices.

 

I found easiest way to use Endpoint repository to achive this requirement

 

Steps as below 

 

1) Create Enforcement profile with Clearpass entity update enforcement

Enforcement profile name is Endpoint_Username_Update

 

Type : Endpoint

Name : Username

Value : %{Authentication:Username}

 

Then Create Policy Condition as below

 

1) (Authorization:[Endpoints Repository]:MAC Vendor  NOT_EXISTS   ) 

Enfrcement Profile : [Aruba Terminate Session], Endpoint_Username_Update

 

With above condition, Client user name/id will be added in endpoint repository with associated mac address after first time successfully authentication and  client will automatically disconnect and connect again due to Aruba termination session enforcement profile but this time client will getiing apply below condition as first condition will not match.

 

2) (Endpoint:Username  EQUALS  %{Authentication:Username}) 

Enfrcement Profile : [Allow Access Profile] 

 

with above condition Wifiuser1 is associated with mac1. Wifiuser1 can only log into the mobile device with the mac address mac1. He cannot log into other mobile devices.

 

Regards,

Milind Yashwantrao

No. Like I mentioned, you would compare the MAC address to the device sponsor and ensure they match...

No. Like I mentioned, you would compare the MAC address to the device sponsor and ensure they match...

"you would compare the MAC address to the device sponsor and ensure they match" 

 

Do you mean MAC  address match refers to endpoint repository or guest repository.

What you are considaring as device sponsor?

 

Regarding the username and mac address binding i have already tested and provided used case in my earlier post.

 

Regards,

Milind Yashwantrao

Every device registration has a sponsor/owner.

 

Like I said, it's recommended to use the device registration workflow instead of manually changing attributes in the endpoints repository. What you said will work, but I was answering the OPs question with a more flexible and dynamic workflow.

I am not changing the attributes manually in endpoint repository as it will automatically add after first time succefully authentication.

 

It seems device registration option is better  but i am not getting you that how we can bind specific mac with specfic AD user.

 

I think i  need to add device name filter in Guest device repository and then that attribute need to use to bind the mac address.

 

Pleaase help me to understand the same.

 

Regards,

Milind Yashwantrao