Security

I need to only allow a device to onboard if the user is authorized to do so and if the device is corporately owned.  I currently have this working via combination of AD user and static host list.  I received a request to key off of the device IMEI instead of MAC contained in the static host list.  I know that it can be matched using a RADIUS: Aruba condition in a mapping rule, but I'm going to have a very large number of devices.  Adding each device IMEI as a condition just isn't realistic in my opinion.

 

Ultimately, it comes down to being sure that we know the device being onboarded should be on the network.  Since MACs can be spoofed, I need to consider what options I have to say with a large degree of certainty that only our assets are on the network. 

Some thoughts on this:

 

If you have a corporate asset database of IMEIs, it should be possible to set this up in CPPM as an Authorization Source (i.e. as an external SQL server of some kind).

 

Onboard does an authorization check through Policy Manager when the device is being provisioned so with a suitable Authorization Source and query you should be able to get it to check the IMEI is on an allowed list (or not in a blacklist).

 

Great idea! I forgot I can use a SQL server as an authorization source. I'll see if I can get this rigged up and report back.

We ended up going another route with this.  We decided that we would enroll all corporate devices in an MDM solution, first.  If the device is enrolled in MDM, than it's allowed to onboard.