Security

Reply
Frequent Contributor II
Posts: 149
Registered: ‎04-20-2009

Keeping MAC Authenticated Devices off the 802.1x authenticated SSID

I am certain I read once how you can do this but I am unable to find a thread now.

 

I have a SSID where all of the devices are MAC Authenticated and another SSID on which users are authenticated using 802.1x against our Active Directory.  The MAC Authenticated devices are supposed to be kept on their own SSID but I have users that keep moving to the 802.1x SSID. I need to find a way to prevent a device which has previously been MAC authenticated from being moved from its intended SSID.

 

I am using ClearPass as my MAC Auth server as well as the RADIUS server for the 802.1x. Is there some way I can build a policy to prevent users from connecting their MAC Auth'd devices?

 

Thanks in advance

Guru Elite
Posts: 8,325
Registered: ‎09-08-2010

Re: Keeping MAC Authenticated Devices off the 802.1x authenticated SSID

What attributes do you have tied to the endpoint record in the endpoints
repository? Keep in mind that MAC address can be spoofed and they would
still be able to get onto the 802.1X network with valid credentials.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor II
Posts: 149
Registered: ‎04-20-2009

Re: Keeping MAC Authenticated Devices off the 802.1x authenticated SSID

Hi Tim,

 

When Mac Authenticated devices connectet to the correct SSID I am updating the endpoints repository using the "Ownership" attribute. I think the best thing for me to do from there is to create a policy on the 802.1x SSID that denys acces to any device with the correct value in the "Ownership" feild. In otherwords, any device which has previously been on the MAC Authenticated SSID will not be permitted on the other SSID. Likewise, if the "Ownership" feild is empty, the client device would not be permitted on the MAC Authenticated SSID.

 

Just wondering if there is a better way, or this this method has any shortcomings.

 

All of these MAC authenticated devices are smartphones and I wonder if there is a way that I can gete the IMEI of the phone into the ClearPass Endpoints Repository other than by means of an MDM Server. If this is possible, I could use the IMEI to create a whitelist. This would be much more difficult to spoof than a MAC address would.

 

Thanks

MVP
Posts: 754
Registered: ‎03-25-2009

Re: Keeping MAC Authenticated Devices off the 802.1x authenticated SSID

Saving an attribute with the endpoint can work.

If you want to keep ALL smart devicess of the dot1x network you can also use the corresponding device category to do this.

Neither is bulletproof.

 

The best way would be to do machine authentication if all the machines you do allow on the dot1x network can do that. 

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Guru Elite
Posts: 8,325
Registered: ‎09-08-2010

Re: Keeping MAC Authenticated Devices off the 802.1x authenticated SSID

[ Edited ]

I wouldn't use the "Ownership" attribute. I would recommend creating your own.

 

You can then tick that attribute to true when the device authenticates on the 802.1X network. Then for the first rule in your MAC-auth service, check to see if that attribute is true and then take either deny or captive portal enforcement action.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
Showing results for 
Search instead for 
Did you mean: