Security

Reply
Contributor II
Posts: 125
Registered: ‎05-19-2013

Onboard limit per user based on group

Hi,

 

I am planning to limit onboarding the devices based on groups. We have only one group now and users part of group can onboard unlimited number of devices.

 

Now i want to seggregate top management and employees. For top managemnent i want to allow unlimited onboarding .And for employees i want to limit it to only 1.

 

In onboard authroisation service, I understood that based on role derivation of employee group we can apply enforcement profile onboard limit 1 and attribute max-mdps-devices =1. Is that enough or else any more configuration is needed to stop employees from onboarding more than 1???

 

In provisioning settings,max devices is set to 0(unlimited)

 

Thanks

Sri

Guru Elite
Posts: 21,530
Registered: ‎03-29-2007

Re: Onboard limit per user based on group

That is enough.  That radius attribute will override the general settings for an individual user.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II
Posts: 125
Registered: ‎05-19-2013

Re: Onboard limit per user based on group

I have a doubt here.

How does thsi radius attribute will stop user onboarding the 2nd device??Will it check onboard respository for the owner name??

 

If user brings in 2nd device and if he wants to onboard the 2nd device by removing access to 1st device. Should i have to revoke the certificate or delete deviice from onboard respository??

Guru Elite
Posts: 21,530
Registered: ‎03-29-2007

Re: Onboard limit per user based on group


srikanthsoogoor wrote:

I have a doubt here.

How does thsi radius attribute will stop user onboarding the 2nd device??Will it check onboard respository for the owner name??

 

If user brings in 2nd device and if he wants to onboard the 2nd device by removing access to 1st device. Should i have to revoke the certificate or delete deviice from onboard respository??


All the radius attribute does is set a limit for that particular username in Onboard.  When the user tries to onboard, this setting is then checked.  If the user reaches his limit, the user cannot onboard another device unless the administrator revokes or deletes his first entry.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Aruba
Posts: 1,377
Registered: ‎12-12-2011

Re: Onboard limit per user based on group

Colin is correct...that's all that's needed.  IF the user wants to REPLACE this one allowed device, you can setup BYOD self-service where they can login themselves and delete the cert!

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Contributor II
Posts: 125
Registered: ‎05-19-2013

Re: Onboard limit per user based on group

ya i got it.

 

But for IOS or MAC OSX first it does web prelogin-auth check as it does over the air provisioing and later it its the service onboard authorisation . So for IOS or MAC OSX is any extra configuration required????

 

Thanks

Aruba
Posts: 1,548
Registered: ‎06-12-2012

Re: Onboard limit per user based on group

No

When you onboard a device it will tie that username to it ( doesn't matter if it's a windows, Mac, or android) and that will be checked in the back ground to see if that user could add another device through a build in database query triggered by the preauth check.

You have the option to check each time a device connects to see how many devices that user has. (Which I think you are asking about) That works fine in a environment like a school, hospital or for guest where you want to restrict a user from having a set number of Mac auth, non onboarded and .1x devices combined based on a group membership. But it does add over head on CPPM since you are doing a query every time a device connects instead of just check when they try adding another device.

If you are only allowing users to connect to the network only with a cert then they wouldn't be able to onboard another device until the other one is expired or revoked.

I hope this makes sense. Just let me know if you're still confused and I can add a few screen shots in the morning.
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Contributor II
Posts: 125
Registered: ‎05-19-2013

Re: Onboard limit per user based on group

yes i got it.

 

the only way for iOS,MAC OSx,Android is get onboarded to get onto network. Its the requirement.

 

Thanks 

srikanth

Contributor II
Posts: 125
Registered: ‎05-19-2013

Re: Onboard limit per user based on group

[ Edited ]

If I use username abcd to onboard any device, if i try with same username im unable to onboard 2nd device it may be android or IOS or windows

 

But if i use username abcd to onboard android and domain\abcd for ios . i am able to onboard and its working fine.

 

But if i use username abcd to onboard android and domain\abcd for 2nd android . i am able to onboard but authentication is failed.

 

 

can anyone help me on this issue? i should stop IOS device from onboarding after android is onboarded

 

Contributor II
Posts: 125
Registered: ‎05-19-2013

Re: Onboard limit per user based on group

Can i stop users from giving domain\username by writing a role like

 

authorisation: AD groups onboardlimit 

     AND

Radius:ietf username not begins with domain name ( for example domain is abc)

 

if user enter Abc or ABC will it stop or considers it as case sensitive???

 

cheers

srikanth 

Search Airheads
Showing results for 
Search instead for 
Did you mean: