Security

last person joined: 11 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

How can I block Linux/Unix Computers

This thread has been viewed 1 times

  • 1.  How can I block Linux/Unix Computers

    Posted Sep 05, 2018 12:06 PM

    What is the simplest way to setup a configuration in clearpass to block Linux and Unix OS machines from connecting to our 802.1x SSID.  Currently we use CPPM to do machine and user auth and assign roles and vlan steering accordingly based on AD user and machine Auth.  



  • 2.  RE: How can I block Linux/Unix Computers

    EMPLOYEE
    Posted Sep 05, 2018 12:50 PM
    Hi

    If you make sure that you do dhcp profiling then ClearPass knows the OS and you can block on that.

    Setup the first rule in the enforcement to deny access to Linux os



  • 3.  RE: How can I block Linux/Unix Computers

    Posted Sep 05, 2018 01:29 PM
    If the requirement is that only users with domain laptops can connect then you can create a policy that only allows [machine authenticated] + [user authenticated] = allow access and the rest will be denied by the default profile applied under the policy .

    Another method you can use to deny access is use the profiling data in the endpoint database and add it in. Your enforcement policy , Endpoint > OS Family = Linux > Deny Access



    Thank you

    Victor Fabian

    Pardon typos sent from Mobile


  • 4.  RE: How can I block Linux/Unix Computers

    Posted Sep 05, 2018 01:49 PM

    So thats exactly what I did I created a Role Mapping policy for Enpoint OS Type Contains Linux or Radius:Aruba-Aruba-Device-Type Contains Linux. I did not however set enforcement policy for it yet because I want to see what devices it role mapps and it seems to catch Android Tablet/Phone devices as well.  Those devices are approved, Linux/Unix Laprops are not,  how can I exclude the Andriod devices from getting this Role applied to them?

     



  • 5.  RE: How can I block Linux/Unix Computers

    EMPLOYEE
    Posted Sep 05, 2018 02:01 PM
    Hi

    Include device category computer in the enforcement. Android devices are profiled as smart devices not computers.

    Hope it helps.



  • 6.  RE: How can I block Linux/Unix Computers

    Posted Sep 05, 2018 02:04 PM

    You mean Device Type Correct when creating the Mapping Rule?



  • 7.  RE: How can I block Linux/Unix Computers

    Posted Sep 05, 2018 02:08 PM

    cppm-rolemapping.JPG

     

     



  • 8.  RE: How can I block Linux/Unix Computers

    EMPLOYEE
    Posted Sep 05, 2018 02:30 PM
    hi

    Use this one Authorization:[Endpoints Repository]:Category CONTAINS Computer) and make sure you add the Endpoint Repository as an authorization source in the service

    As Victor explained : http://community.arubanetworks.com/t5/Security/Enforcement-profiles-based-on-device-category/m-p/288983#M30442



  • 9.  RE: How can I block Linux/Unix Computers

    Posted Sep 05, 2018 03:03 PM

    Here is the adjusted ruleHere is the adjusted rule



  • 10.  RE: How can I block Linux/Unix Computers
    Best Answer

    EMPLOYEE
    Posted Sep 05, 2018 03:45 PM

    hi

     

    I would not use the Radius part and replace it with:

     

    Authorization:[Endpoints Repository]OS Family equals 

    linux

     

    And make sure the endpoints repository is an authorization source

    Schermafbeelding 2018-09-05 om 21.48.56.png

     

    Hope it helps