Security

Reply
Occasional Contributor II

PSK SSID + Endpoint Repository for role assignment?

We've got a PSK SSID in use globally that's pretty well entrenched in our organization, and due to varying configurations it's turned into a very mixed-use network.  What I'd like to do is steer mobile devices into a specific role/vlan, while leaving our bridges and other headless devices in the authenticated role.  I've tried user derivation rules with DHCP thumbprints to do this but the results have been very poor (sub 10% hit rate). Rather than tearing it out and reconfiguring thousands of devices, I'd like to leverage the CPPM Endpoint Repository so that if the device name was, for example, iPhone it would hand the appropriate Aruba-User-Role back to the controller.

 

Is this possible?  I've stepped through a few different configurations that I thought might work but I'm not even seeing requests in access tracker.

Guru Elite

Re: PSK SSID + Endpoint Repository for role assignment?

Yes, you’d create a basic MAC authentication service with [Allow All MAC Auth] and build policies that return back a user-role and VLAN-name combination.

It’s also recommended to use the Device Registration portal in ClearPass to register those headless devices and assign a role and owner.

Be sure to enable MAC Authentication in your AAA profile on the controller.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: PSK SSID + Endpoint Repository for role assignment?

Thanks Tim, that works perfectly!

 

-Josh.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: