Security

Reply
Frequent Contributor I
Posts: 85
Registered: ‎10-17-2012

Implementation question - blocking end-point vendors

Hello,

 

we are interested in blocking ALL smartphones from our wifi solution.

What I have done is the following:

I have added the following under services-->enfo.

 

This is working now and blocked Samsung S3 and apple devices.

Is this a good way to implement or should I use profiler or a different option, I have full clearpass license.

Any suggestions will be gladly appreciated.

 

3.(Connection:Client-Mac-Vendor EQUALS Murata Manufacturing Co., Ltd.)[Deny Access Profile]
4.(Connection:Client-Mac-Vendor EQUALS Apple, Inc.)

[Deny Access Profile]

MVP
Posts: 1,405
Registered: ‎11-30-2011

Re: Implementation question - blocking end-point vendors

see the question i asked in your other thread.

 

personally i would go with ClearPass profile if you can. It gives more granularity, i.e. differentiate between iPads and iPhones i believe.

Guru Elite
Posts: 20,417
Registered: ‎03-29-2007

Re: Implementation question - blocking end-point vendors

In Role Mapping, try this:

 

Authorization:Endpoints Repository Category Equals SmartDevice



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I
Posts: 85
Registered: ‎10-17-2012

Re: Implementation question - blocking end-point vendors

i tried it but it dosent seem to work.

if i goto identity --> end point i can see my client mac address with profiled no status unknown.

 

Guru Elite
Posts: 20,417
Registered: ‎03-29-2007

Re: Implementation question - blocking end-point vendors

Do you have a helper address on your wireless subnet pointing to cppm so your devices can be profiled?


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I
Posts: 85
Registered: ‎10-17-2012

Re: Implementation question - blocking end-point vendors

i also tried this role but still i can authenticate and connect

(Authorization:[Endpoints Repository]:Device Name CONTAINS Android)Block_Devices
Guru Elite
Posts: 20,417
Registered: ‎03-29-2007

Re: Implementation question - blocking end-point vendors

Your endpoints repository only has basic information about your devices.  To get more information, you need to put an additional helper address on your wireless subnet to point to CPPM to collect that additional information and insert it into the Endpoints repository.  It will then be able to better classify those devices with more parameters, rather than just by mac address.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I
Posts: 85
Registered: ‎10-17-2012

Re: Implementation question - blocking end-point vendors

can you elaboratre on "To get more information, you need to put an additional helper address on your wireless subnet to point to CPPM to collect that additional information and insert it into the Endpoints repository"

what are the steps? is there a manual for this?

 

Guru Elite
Posts: 20,417
Registered: ‎03-29-2007

Re: Implementation question - blocking end-point vendors

Do you have the profiler license? If you do, please search the user guide for profiler to ensure it is enabled.

If you do not, ignore what I said.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I
Posts: 85
Registered: ‎10-17-2012

Re: Implementation question - blocking end-point vendors

profiler is enabled as evaluation license in the product.

but the endpoint mapping is empty my phone was not categorized not profiled or detected as android. While other pcs are listed OK in the endpoints list.

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: