Security

Reply
Frequent Contributor II
Posts: 143
Registered: ‎07-27-2012

Easiest way to whitelist devices - CPPM Guest

Hi:

I'm using Clearpass guest to let students self-register their gaming devices.

Then a policy checks for the string "Gaming Console" in the endpoint_profile_device_category field.

So far, so good.

But there are a number of devices that doesn't account for. Wireless TV's for example.

 

There aren't so many devices (yet) that it would be a burden to whitelist these manually. What's the best way to do this?

 

I notice a "role_name" field. Can I create custom role names and create a rule in my policy based on that role name?

 

Other ways to accomplish this?

 

Thanks,

Tony

 

Guru Elite
Posts: 8,643
Registered: ‎09-08-2010

Re: Easiest way to whitelist devices - CPPM Guest

In your enforcement, check the Endpoints Repository category using the Matches Any option and select the appropriate categories

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor II
Posts: 143
Registered: ‎07-27-2012

Re: Easiest way to whitelist devices - CPPM Guest

Hi Tim:

I'm not seeing a matches any option anywhere. Can you provide a screenshot?

 

Also, is it possible to create custom roles?

 

Thanks,

Tony

Guru Elite
Posts: 8,643
Registered: ‎09-08-2010

Re: Easiest way to whitelist devices - CPPM Guest

Sorry, you'd need to do a custom role and do a role map for this. Then use that role in your enforcement policy.

 

media-device-role-map.png


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor II
Posts: 143
Registered: ‎07-27-2012

Re: Easiest way to whitelist devices - CPPM Guest

Hi Tim:

Thanks for the reply and the screenshot!

 

My setup looks very much like the one you provided, except I'm only looking for Game Consoles.

I'd like to allow those other device categories on the network (Home Audio/Video, Settop Box).

Are those being profiled automatically, or did you add those manually?

 

I've only seen Game Console show up in my profiled devices.

 

Thanks,

Tony

 

 

Guru Elite
Posts: 8,643
Registered: ‎09-08-2010

Re: Easiest way to whitelist devices - CPPM Guest

Those are built in profile categories. 

 

appletv-profile.JPG

 

 


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor II
Posts: 143
Registered: ‎07-27-2012

Re: Easiest way to whitelist devices - CPPM Guest

OK, thanks.

 

So let me revise my question.

I'd like to allow gaming devices, smaht TV's (:-)), etc. on the network.

 

But some gaming consoles, TV's, etc. don't get profiled correctly.

In fact, the fields like endpoint_profile_device_category don't even show up when I look at the device details.

 

What do you do with these devices?

Do you have a process for them to be manually authorized?

Is there a way to manually profile/categorize it as a gaming device, TV, etc?

 

Thanks,

Tony

 

Guru Elite
Posts: 8,643
Registered: ‎09-08-2010

Re: Easiest way to whitelist devices - CPPM Guest

Are you requiring the users to register them in MACTrac? If so, the device is then authorized.

 

You can manually change a profile in the endpoint database by selecting an option from the dropdowns of Category, OS Category and Device Name. 


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor II
Posts: 143
Registered: ‎07-27-2012

Re: Easiest way to whitelist devices - CPPM Guest

Ah, OK.

I was looking at the device in CPPM Guest.

I see where I can change those properties in CPPM.

 

But now, problem next:

 

When I try to change an endpoint I get the message: No Endpoints are updated. Endpoints which are already profiled only can be updated.

 

Thanks,

Tony

 

Guru Elite
Posts: 8,643
Registered: ‎09-08-2010

Re: Easiest way to whitelist devices - CPPM Guest

So the devices you are looking at have not been profiled yet?

 

Do you have a DHCP helper address pointed to ClearPass for the appropriate subnets?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
Showing results for 
Search instead for 
Did you mean: