12-17-2014 08:39 PM
I have a new Aruba CPPM that is not yet in production and need advise on a deployment strategy.
I currently have the OnBoard process working properly using EAP-TLS device certificates (using the clearpass as the CA). Any device that has been enrolled and connects to our "onboarded" SSID is getting placed on our guest network by default for internet only access. However, I would like the ability to perform a COA on certain devices and place them on a network with more privileges. I don't want to do this on a Per-user basses because a user might have a personal iphone that gets placed on our guest network but a corporate owned ipad that gets placed on our inside network. Is there a good way to do this using the Onboard process? Or. will we have to do some kind of manual TLS certificates/manual profile install that has some attribute that we can filter for in CPPM?
Any suggestions or ideas you have would be great!
12-17-2014 09:19 PM
How are the corporate devices managed?
Are byod devices enrolled in an MDM?
Do you have a corporate asset database?
Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
12-17-2014 10:04 PM
12-18-2014 04:15 PM
Another thing you could do is to create a couple of different OnBoard profiles with an additional Clearpass CA. You could have all BYOD devices go to the "standard" OnBoard page / process. You could send the URL of another OnBoard page / process to clients that require elevated priviliges. It would work something like the following:
1. A normal OnBoard device will connect with EAP-TLS
2. Based on the standard CA, it will be given the current BYOD role
3. A special BYOD device will connect with EAP-TLS
4. Based on the special CA, it will be given an elevated role
You could further lock down the above to only allow a certain LDAP Group access to go through the process of the special OnBoarding page.
Just a thought off the top of my head.