Security

Hi Forum,

Great stuff here and always learning new things. 

I have a new question that I was thinking of, I want to ask how can I have clearpass check if a PC is domain joined or not so I can allow or limit access? and if this possible, what is the solution for MacOS?

Thanks in advance,

Actually, can I use this method? http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/How-to-MACHINE-AND-USER-AUTHENTICATION-IN-WINDOWS-WITH-CLEARPASS/td-p/227580

and if so, what about MacOS? how do i check if a device is domain joined/company issued? without a pre-filled list of company issued devices from IT/logistics

Couple of points, most domain joined Windows computers will process user AND machine authentication into ClearPass.  Using the tags/roles [User Authenticated] and [Machine Authenticated], you can then define that if BOTH exist, then send back the appropriate action/role/VLAN/etc...

For OS X, you can join them to the domain, or use an alternate method like:

1. Have a static host list for these MAC addresses

2. Add in an SQL auth source and use it as an Authorization source in the service to query the endpoint's MAC and if it exists, then take the same action like you would if Machine Auth were present

3. Use profiler and write a policy to say IF it's OS X AND some other attribute like Hostname CONTAINS <value>

4. Leverage MDM context IF you have one deployed for OS X

5. Create and tag these OSX machines with a custom attribute like "Corporate Owned" and then use the presence of that attribute to derive context

Thank You Seth,

I will test option number 4 and see if it works fine.

thanks again.