Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Need advise with Onboarding BYOD & Corporate Managed Mobile devices

This thread has been viewed 1 times

  • 1.  Need advise with Onboarding BYOD & Corporate Managed Mobile devices

    Posted Dec 17, 2014 11:40 PM

    Hello,

    I have a new Aruba CPPM that is not yet in production and need advise on a deployment strategy.

     

    I currently have the OnBoard process working properly using EAP-TLS device certificates (using the clearpass as the CA). Any device that has been enrolled and connects to our "onboarded" SSID is getting placed on our guest network by default for internet only access. However, I would like the ability to perform a COA on certain devices and place them on a network with more privileges. I don't want to do this on a Per-user basses because a user might have a personal iphone that gets placed on our guest network but a corporate owned ipad that gets placed on our inside network. Is there a good way to do this using the Onboard process? Or. will we have to do some kind of manual TLS certificates/manual profile install that has some attribute that we can filter for in CPPM?

     

    Any suggestions or ideas you have would be great!



  • 2.  RE: Need advise with Onboarding BYOD & Corporate Managed Mobile devices

    EMPLOYEE
    Posted Dec 18, 2014 12:20 AM
    We need more information.

    How are the corporate devices managed?
    Are byod devices enrolled in an MDM?
    Do you have a corporate asset database?


  • 3.  RE: Need advise with Onboarding BYOD & Corporate Managed Mobile devices

    Posted Dec 18, 2014 01:05 AM
    We don't have any MDM management on these devices or a corporate asset database. The company has bought a lot of these devices but has failed to do any kind of planning on how they were going to manage them. The best we have is "good messaging" but I don't think any of its MDM features have been turned on. I know that a lot of the personal decides have good messaging installed as well. What I don't know for sure is if the good messaging admins keep track of the Device ownership. I'll have to check.


  • 4.  RE: Need advise with Onboarding BYOD & Corporate Managed Mobile devices

    Posted Dec 18, 2014 07:15 PM

    Hi parentch,

     

    Another thing you could do is to create a couple of different OnBoard profiles with an additional Clearpass CA. You could have all BYOD devices go to the "standard" OnBoard page / process. You could send the URL of another OnBoard page / process to clients that require elevated priviliges. It would work something like the following:

     

    1. A normal OnBoard device will connect with EAP-TLS

    2. Based on the standard CA, it will be given the current BYOD role

    3. A special BYOD device will connect with EAP-TLS

    4. Based on the special CA, it will be given an elevated role

     

    You could further lock down the above to only allow a certain LDAP Group access to go through the process of the special OnBoarding page.

     

    Just a thought off the top of my head.

     

    -Mike