Security

Reply
MVP
Posts: 371
Registered: ‎05-09-2013

Posture Check Guest Mobile Devices

Hi All,

 

I am doing a ClearPass install and we are doing posture checking on the Guest network. The service is built and working fine, but we want to bypass the posture check for mobile devices as they are not capable of it.

 

I tried adding role mapping policies that looked at "Authorization:[Endpoint Repository]-Device Category-SmartDevice" and also tried "RADIUS:Aruba-Aruba-Device-Type EQUALS iPhone"

 

but the problem is the device is not always sending the information. We are doing an Allow All MAC Auth and depending on the device we are either sending them to a role with the posture check captive portal or just the self-registration.

 

How do I get the devices to consistently send the device type or be profiled with the device category?

 

Please see attacheed images for example.

 

Thanks.


Michael Haring | Senior Network Engineer
Comm Solutions, an Optiv Security Company
www.commsolutions.com | www.optiv.com
Guru Elite
Posts: 8,456
Registered: ‎09-08-2010

Re: Posture Check Guest Mobile Devices

You need to enable profiling on your service and select Smartdevices from the drop down.

 

Then in your service, write a rule that says Endpoints Repository: Device Category NOT_EXISTS, return a controller role that just allows DHCP (logon role works great for this).

 

This will force the device to be profiled and then bump the user so authentication can continue. This would only happen the first time the device is seen on the network.

 

Make sure you have the endpoints repository as an authorization source. 


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP
Posts: 371
Registered: ‎05-09-2013

Re: Posture Check Guest Mobile Devices

Thanks, I will give it a try and let you know.


Michael Haring | Senior Network Engineer
Comm Solutions, an Optiv Security Company
www.commsolutions.com | www.optiv.com
MVP
Posts: 371
Registered: ‎05-09-2013

Re: Posture Check Guest Mobile Devices

So I went through the configuration and also found out that I did not have the RFC3576 Shared Key configured on the controller. Fixed that and went through with your configuration and worked. Thanks for the help!

Michael Haring | Senior Network Engineer
Comm Solutions, an Optiv Security Company
www.commsolutions.com | www.optiv.com
Regular Contributor I
Posts: 159
Registered: ‎03-03-2011

Re: Posture Check Guest Mobile Devices

Make sure you have DHCP helpers pointed to CPPM and/or add IFMAP for the controller to send additional info. 

 

I actually reverse the logic for OnGuard and only enforce for device category computer. Then everything else falls through. 

 

onguard.png

 

The real question though is if the guest network is configured properly (ie no access to production networks etc), why go through the hassle of posture checking on those devices?

Regards,

Josh
___________
ACMP, ACCP
Guru Elite
Posts: 8,456
Registered: ‎09-08-2010

Re: Posture Check Guest Mobile Devices

jclingan,

The problem with not forcing a profile role is you may not know what the device is for the first authentication which can cause issues for clients when they're in the wrong role.

Using a profile check, you can alleviate this.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Regular Contributor I
Posts: 159
Registered: ‎03-03-2011

Re: Posture Check Guest Mobile Devices

cappalli - yeah I agree. Its good practice and I always make a "not profiled" rule/role and put it at the top of my enforcement policy.

Regards,

Josh
___________
ACMP, ACCP
Search Airheads
Showing results for 
Search instead for 
Did you mean: