Security

Reply
Occasional Contributor II
Posts: 51
Registered: ‎12-16-2014

Only Allow Devices We Own on the Wifi - Clearpass, Controllers, Anything Better than Mac Auth?

Thank you in advance, my google-fu is lacking...  We've got two Aruba 7210 controllers and Clearpass and everything works ok for user auth for our 802.1x SSID....the problem comes in when we want to say, "allow THIS iPad on the wifi but not this other one."....we have iPads, android phones, iphones, windows laptops, TI-82 calculators (jk), etc. but we do not currently have a MDM solution to easily put certs,etc on these devices.  Our clearpass endpoint database is filling up with tons of devices and I see where you can mark them "known" or "unknown" but I don't see how to give the user/device a different role based on the device they are on.  Also, can we do anything with "device profiling" so it is a little more secure than just mac-address authentication only?  Hope that makes sense, thanks.

Guru Elite
Posts: 8,774
Registered: ‎09-08-2010

Re: Only Allow Devices We Own on the Wifi - Clearpass, Controllers, Anything Better than Mac Auth?

What will be the source of the device ownership?


Thanks,
Tim

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 51
Registered: ‎12-16-2014

Re: Only Allow Devices We Own on the Wifi - Clearpass, Controllers, Anything Better than Mac Auth?

The company I work for would buy a bunch of devices (ipads, android phones, etc) and we would only want these phones to get on the corp network, so like get the "corp" role...but if the same user signed on with their personal ipad they should only get the guest role...hope that makes sense, thanks.

Guru Elite
Posts: 8,774
Registered: ‎09-08-2010

Re: Only Allow Devices We Own on the Wifi - Clearpass, Controllers, Anything Better than Mac Auth?

You can either issue then certificates from a different CA or mark the MAC in the endpoints database as corporate.


Thanks,
Tim

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 51
Registered: ‎12-16-2014

Re: Only Allow Devices We Own on the Wifi - Clearpass, Controllers, Anything Better than Mac Auth?

Ok, thanks.  yes I was trying to avoid certs for now due to the myriad different devices but is there a way to also use clearpass "profiler" so that someone couldn't spoof an android mac address on their windows laptop?  So for example, only allow this mac address on if the device fingerprint matches what is in the clearpass endpoint db (Andoird OS, version, etc.)..

 

Guru Elite
Posts: 8,774
Registered: ‎09-08-2010

Re: Only Allow Devices We Own on the Wifi - Clearpass, Controllers, Anything Better than Mac Auth?

Well, kind of. The problem is a profile might return Windows, but the MAC is an Intel MAC.

Profile conflicts really come into play when a device category changes. Like "Computer" becoming a "Printer"

Certs really is the only secure, reliable way.


Thanks,
Tim

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 51
Registered: ‎12-16-2014

Re: Only Allow Devices We Own on the Wifi - Clearpass, Controllers, Anything Better than Mac Auth?

Ok, thanks!

 

Guru Elite
Posts: 8,774
Registered: ‎09-08-2010

Re: Only Allow Devices We Own on the Wifi - Clearpass, Controllers, Anything Better than Mac Auth?

If you just want to take different action if the profile changes, you can use the profile conflict attribute in your enforcement.


Thanks,
Tim

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
Showing results for 
Search instead for 
Did you mean: