Security

Reply
Frequent Contributor I
Posts: 76
Registered: ‎12-07-2015

Onboard - Restrict onboard services to only devices in static host list

Hi All,

 

I'm trying to add a role mapping and enforcement policy to only allow devices on a static host list to onboard.

 

I'm adding this to the "Onboard Pre-Auth" service that was created via template. My problem is that I cant specify the mac-address from computed data to the static host list.

 

In access tracker I see:

Application:WebLoginURL:mac98:01:a7:47:cd:c5

However, when adding either a role mapping or enforcement policy, I never see Application:WebLoginURL to choose from (just Application:, Application:ClearPass, and Application:SSO).

 

Do I have to add in some attributes somewhere to get this to work?

 

N

Guru Elite
Posts: 8,628
Registered: ‎09-08-2010

Re: Onboard - Restrict onboard services to only devices in static host list

[ Edited ]

You would need to do this in your Onboard Authorization service instead of pre-auth.

Just curious, why are you using MAC address here? What's to stop me from changing my MAC to Onboard?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Guru Elite
Posts: 8,628
Registered: ‎09-08-2010

Re: Onboard - Restrict onboard services to only devices in static host list

You would need to change Onboard to use a RADIUS authorization instead of
Application.



Just curious, why are you using MAC address here? What's to stop me from
changing my MAC to Onboard?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I
Posts: 76
Registered: ‎12-07-2015

Re: Onboard - Restrict onboard services to only devices in static host list

Well I guess you would need to know the mac to change to, but your point stands. Nothing would stop you.

 

All I'm trying to do is to add some additional security to prevent someone from onboarding an unapproved device and get onto a corporate SSID. I'm using dual SSID with a register link on the guest captive portal (which is open auth ssid). You need to log in with a guest account to provision, but thats only a 6 character pin.

 

Do you have any better suggestions?

 

N

 

 

 

Guru Elite
Posts: 8,628
Registered: ‎09-08-2010

Re: Onboard - Restrict onboard services to only devices in static host list

If that's the security requirement, then that's the way to do it. Just
wanted you to be aware of that it can easily be spoofed.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Guru Elite
Posts: 8,628
Registered: ‎09-08-2010

Re: Onboard - Restrict onboard services to only devices in static host list

If that's the security requirement, then that's the way to do it. Just
wanted you to be aware of that it can easily be spoofed.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I
Posts: 76
Registered: ‎12-07-2015

Re: Onboard - Restrict onboard services to only devices in static host list

When deleting the onboard cert, how log does it take before the device no longer can connect via TLS? It seems like devices still operate even when removed from onboard.

 

Guru Elite
Posts: 8,628
Registered: ‎09-08-2010

Re: Onboard - Restrict onboard services to only devices in static host list

If you have your EAP-TLS method configured for OCSP, the next time it
attempts authentication, it should be rejected.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Guru Elite
Posts: 8,628
Registered: ‎09-08-2010

Re: Onboard - Restrict onboard services to only devices in static host list

If you have your EAP-TLS method configured for OCSP, the next time it
attempts authentication, it should be rejected.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I
Posts: 76
Registered: ‎12-07-2015

Re: Onboard - Restrict onboard services to only devices in static host list

Ah that was it, TAC disabled it the other day. Thanks.

 

N

Search Airheads
Showing results for 
Search instead for 
Did you mean: