Security

Reply
MVP
Posts: 1,111
Registered: ‎10-11-2011

Getting Corporate Macbooks on the Network

[ Edited ]

I have several corporate macbooks that I need to get on our network.  Before owning ClearPass, we would manually generate certificates for devices and import them on the device for EAP-TLS authentication.  Now that we own CP w/onboarding, I think I'd like to onboard the Macbooks.  I want to lock down onboarding to only corporate Macs and only have a few ideas of how to do this:

 

  • Maintain static host list of corporate iPads
  • Enroll the Macs in Airwatch and poll external context server to verify device is enrolled and coporate assett.

 

Just looking to brainstorm here, and get ideas of how others are securely getting corporate macs on their network.

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Aruba
Posts: 1,545
Registered: ‎06-12-2012

Re: Getting Corporate Macbooks on the Network

Those are the most common process. We have also had a few customers

1. lock it down so you could onload only on 1 AP

2. Have a approval process like you would with sponsored guests
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
MVP
Posts: 1,111
Registered: ‎10-11-2011

Re: Getting Corporate Macbooks on the Network

Thanks Troy.  Very good ideas.

 

How would you do option #2, though? 

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Aruba
Posts: 1,545
Registered: ‎06-12-2012

Re: Getting Corporate Macbooks on the Network

There should be another post on this about a month ago. I'll have to take a look tonight when I get back.

Essentially you will need to setup a sponsor guest setup where the final redirect would end at the on boarding page
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
MVP
Posts: 1,111
Registered: ‎10-11-2011

Re: Getting Corporate Macbooks on the Network

Cool. Look forward to getting some more info on it.

 

Only one concern about redirectring the user to the onboarding page after sponsor approval. Is it possible to lock down access to the onboarding page?  How would you keep someone from just typing in the name of the onboarding page and onboarding?

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Aruba
Posts: 1,545
Registered: ‎06-12-2012

Re: Getting Corporate Macbooks on the Network

Yes that is the challenge. :smileyhappy:

 

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Clearpass-Onboarding-by-IT-admins-only-not-by-employees/m-p/117021/highlight/true#M7701

 

I comes down to how your network is setup you might have to get creative.

 

I have one cutomer that has provisioning allowed on one AP and they have the power turned way down so you have to be in the IT office to connect to it.

 

I have another that put in the IP restriction in the weblogin where when they go throught the Self-Reg page they get a 192. address and once the user can click the login button they send a COA and role chage to the production VLAN with an allowed IP. 

 

screenshot_01 Nov. 14 22.27.gif

 

I guess we should open this up and get some other suggestions and I will put together a KB and arubapedia page with options you can chose from.

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
MVP
Posts: 1,111
Registered: ‎10-11-2011

Re: Getting Corporate Macbooks on the Network

Thanks Troy. Getting some really good ideas out of this.

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
MVP
Posts: 1,111
Registered: ‎10-11-2011

Re: Getting Corporate Macbooks on the Network

Another issue I'm facing is that several Macs are shared by multiple users.  Currently, they all use one user account on each mac, but I'd like that policy to change so that each person requires a separate login.  When onboarding, you can make the cert for the user or the system.  It probably makes most sense to install the cert/profile for the user, rather than have a single cert tied to the system.  That being the case, I may have several people logging into multiple macs, which means each user would need to "onboard" when they login to a mac they haven't previously used, right?  If that's the case, is there a way to say for a certain group of people, they're allowed to onboard X number of times rather than use the global onboard limit?

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Aruba
Posts: 1,545
Registered: ‎06-12-2012

Re: Getting Corporate Macbooks on the Network

Send you a PM on this one

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Search Airheads
Showing results for 
Search instead for 
Did you mean: