08-26-2015 11:55 AM
I am certain I read once how you can do this but I am unable to find a thread now.
I have a SSID where all of the devices are MAC Authenticated and another SSID on which users are authenticated using 802.1x against our Active Directory. The MAC Authenticated devices are supposed to be kept on their own SSID but I have users that keep moving to the 802.1x SSID. I need to find a way to prevent a device which has previously been MAC authenticated from being moved from its intended SSID.
I am using ClearPass as my MAC Auth server as well as the RADIUS server for the 802.1x. Is there some way I can build a policy to prevent users from connecting their MAC Auth'd devices?
Thanks in advance
Solved! Go to Solution.
08-26-2015 11:57 AM
08-28-2015 07:58 AM
When Mac Authenticated devices connectet to the correct SSID I am updating the endpoints repository using the "Ownership" attribute. I think the best thing for me to do from there is to create a policy on the 802.1x SSID that denys acces to any device with the correct value in the "Ownership" feild. In otherwords, any device which has previously been on the MAC Authenticated SSID will not be permitted on the other SSID. Likewise, if the "Ownership" feild is empty, the client device would not be permitted on the MAC Authenticated SSID.
Just wondering if there is a better way, or this this method has any shortcomings.
All of these MAC authenticated devices are smartphones and I wonder if there is a way that I can gete the IMEI of the phone into the ClearPass Endpoints Repository other than by means of an MDM Server. If this is possible, I could use the IMEI to create a whitelist. This would be much more difficult to spoof than a MAC address would.
08-28-2015 08:27 AM
Saving an attribute with the endpoint can work.
If you want to keep ALL smart devicess of the dot1x network you can also use the corresponding device category to do this.
Neither is bulletproof.
The best way would be to do machine authentication if all the machines you do allow on the dot1x network can do that.
-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
08-28-2015 08:31 AM - edited 08-28-2015 08:31 AM
I wouldn't use the "Ownership" attribute. I would recommend creating your own.
You can then tick that attribute to true when the device authenticates on the 802.1X network. Then for the first rule in your MAC-auth service, check to see if that attribute is true and then take either deny or captive portal enforcement action.