08-05-2015 11:25 PM
Great stuff here and always learning new things.
I have a new question that I was thinking of, I want to ask how can I have clearpass check if a PC is domain joined or not so I can allow or limit access? and if this possible, what is the solution for MacOS?
Thanks in advance,
Solved! Go to Solution.
08-06-2015 12:03 AM
and if so, what about MacOS? how do i check if a device is domain joined/company issued? without a pre-filled list of company issued devices from IT/logistics
08-06-2015 06:16 AM
Couple of points, most domain joined Windows computers will process user AND machine authentication into ClearPass. Using the tags/roles [User Authenticated] and [Machine Authenticated], you can then define that if BOTH exist, then send back the appropriate action/role/VLAN/etc...
For OS X, you can join them to the domain, or use an alternate method like:
1. Have a static host list for these MAC addresses
2. Add in an SQL auth source and use it as an Authorization source in the service to query the endpoint's MAC and if it exists, then take the same action like you would if Machine Auth were present
3. Use profiler and write a policy to say IF it's OS X AND some other attribute like Hostname CONTAINS <value>
4. Leverage MDM context IF you have one deployed for OS X
5. Create and tag these OSX machines with a custom attribute like "Corporate Owned" and then use the presence of that attribute to derive context
Consulting Systems Engineer - ACCX, ACDX, ACMX
If you found my post helpful, please give kudos