Security

Reply
MVP
Posts: 1,110
Registered: ‎10-11-2011

Onboarding - Limit Devices

I need to only allow a device to onboard if the user is authorized to do so and if the device is corporately owned.  I currently have this working via combination of AD user and static host list.  I received a request to key off of the device IMEI instead of MAC contained in the static host list.  I know that it can be matched using a RADIUS: Aruba condition in a mapping rule, but I'm going to have a very large number of devices.  Adding each device IMEI as a condition just isn't realistic in my opinion.

 

Ultimately, it comes down to being sure that we know the device being onboarded should be on the network.  Since MACs can be spoofed, I need to consider what options I have to say with a large degree of certainty that only our assets are on the network. 

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Aruba
Posts: 113
Registered: ‎11-21-2011

Re: Onboarding - Limit Devices

Some thoughts on this:

 

If you have a corporate asset database of IMEIs, it should be possible to set this up in CPPM as an Authorization Source (i.e. as an external SQL server of some kind).

 

Onboard does an authorization check through Policy Manager when the device is being provisioned so with a suitable Authorization Source and query you should be able to get it to check the IMEI is on an allowed list (or not in a blacklist).

 

MVP
Posts: 1,110
Registered: ‎10-11-2011

Re: Onboarding - Limit Devices

Great idea! I forgot I can use a SQL server as an authorization source. I'll see if I can get this rigged up and report back.
=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
MVP
Posts: 1,110
Registered: ‎10-11-2011

Re: Onboarding - Limit Devices

We ended up going another route with this.  We decided that we would enroll all corporate devices in an MDM solution, first.  If the device is enrolled in MDM, than it's allowed to onboard.

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Search Airheads
Showing results for 
Search instead for 
Did you mean: