Security

Reply
Occasional Contributor I

How to set up a ClearPass policy to ensure BYOD devices don't get access to internal VLAN

We have a ClearPass deployment where we have an internal VLAN with unlimited access to all RFC1918 addresses and a Guest VLAN which only provides access to the internet. 

 

What we want to do is:

- When a domain joined computer joins the "corp" SSID, the domain joined computer gets assigned the internal VLAN

- When a non-domain joined laptop, phone, tablet owned by an employee joins the "corp" SSID, they get assigned the Guest VLAN, or a different VLAN of our choice.

- People outside the organisation still connect to the Guest SSID and get the Guest VLAN - unchanged

 

We don't want to set up a complicated BYOD configuration, all we want to achieve is the above. What's the simplest most effective way to ensure that if an employee joins their device to the corp SSID that they get assigned a different VLAN? 

 

Guru Elite

Re: How to set up a ClearPass policy to ensure BYOD devices don't get access to internal VLAN

How will you be determining what is a corporate device vs personal?

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I

Re: How to set up a ClearPass policy to ensure BYOD devices don't get access to internal VLAN

If they have a domain joined machine, we want ClearPass to recognise that it's joined to the domain and assign it the right VLAN. If the user tries to type in their domain\username and password credentials we want to make sure they can't get assigned the unrestricted VLAN. 

Occasional Contributor I

Re: How to set up a ClearPass policy to ensure BYOD devices don't get access to internal VLAN

I am open to any other ideas as well as long as it helps achieve the goal stated.

Re: How to set up a ClearPass policy to ensure BYOD devices don't get access to internal VLAN

One option is doing Machine Authentication, where CPPM will check if the machine is in the domain. In this case, CPPM'll tag this authentication with the ROLE "Machine Authenticated". You can use this role in the Enforcement Profile to assign the computer to internal VLAN. In this case, you have to enable machine authentication in the supplicants.

Other option is distribute certificates in coprporate computers and used them to authenticated corporate devices. You'll check this certificates in the authentication process and allow them to internal vlan.


Rafael del Cerro Flores
ACMP, ACCP, ACDX#324, ACCX#711
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: