Security

Reply

Posture Check Guest Mobile Devices

Hi All,

 

I am doing a ClearPass install and we are doing posture checking on the Guest network. The service is built and working fine, but we want to bypass the posture check for mobile devices as they are not capable of it.

 

I tried adding role mapping policies that looked at "Authorization:[Endpoint Repository]-Device Category-SmartDevice" and also tried "RADIUS:Aruba-Aruba-Device-Type EQUALS iPhone"

 

but the problem is the device is not always sending the information. We are doing an Allow All MAC Auth and depending on the device we are either sending them to a role with the posture check captive portal or just the self-registration.

 

How do I get the devices to consistently send the device type or be profiled with the device category?

 

Please see attacheed images for example.

 

Thanks.


Thank you.

Michael Haring | AIS Consultant
Architecture and Implementation Solutions
Optiv Security Inc. | www.optiv.com
Guru Elite

Re: Posture Check Guest Mobile Devices

You need to enable profiling on your service and select Smartdevices from the drop down.

 

Then in your service, write a rule that says Endpoints Repository: Device Category NOT_EXISTS, return a controller role that just allows DHCP (logon role works great for this).

 

This will force the device to be profiled and then bump the user so authentication can continue. This would only happen the first time the device is seen on the network.

 

Make sure you have the endpoints repository as an authorization source. 


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480

Re: Posture Check Guest Mobile Devices

Thanks, I will give it a try and let you know.


Thank you.

Michael Haring | AIS Consultant
Architecture and Implementation Solutions
Optiv Security Inc. | www.optiv.com

Re: Posture Check Guest Mobile Devices

So I went through the configuration and also found out that I did not have the RFC3576 Shared Key configured on the controller. Fixed that and went through with your configuration and worked. Thanks for the help!

Thank you.

Michael Haring | AIS Consultant
Architecture and Implementation Solutions
Optiv Security Inc. | www.optiv.com
Regular Contributor I

Re: Posture Check Guest Mobile Devices

Make sure you have DHCP helpers pointed to CPPM and/or add IFMAP for the controller to send additional info. 

 

I actually reverse the logic for OnGuard and only enforce for device category computer. Then everything else falls through. 

 

onguard.png

 

The real question though is if the guest network is configured properly (ie no access to production networks etc), why go through the hassle of posture checking on those devices?

Regards,

Josh
___________
ACMP, ACCP
Guru Elite

Re: Posture Check Guest Mobile Devices

jclingan,

The problem with not forcing a profile role is you may not know what the device is for the first authentication which can cause issues for clients when they're in the wrong role.

Using a profile check, you can alleviate this.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Regular Contributor I

Re: Posture Check Guest Mobile Devices

cappalli - yeah I agree. Its good practice and I always make a "not profiled" rule/role and put it at the top of my enforcement policy.

Regards,

Josh
___________
ACMP, ACCP
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: