Security

Reply
SBS
Contributor II
Posts: 38
Registered: ‎11-04-2013

TLS certificate vs. Mac Caching - BYOD Registration using CPPM

Hello, We have CPPM and use it for BYOD registration. We have 2 wifi networks:  Registration and BYOD. A user associates to the Registration network and goes thru the process.  If they have an IOS device they download a clearpass onboard profile certificate and then a device enrollment certificate.  If they have an Android device they go to the play store and download the Aruba Clearpass quick connect which is then used to provision the device and install the certificates. They then join the BYOD network for communications. 

 

If they have issues with the above registration process, or they are on a device that doesn't support the traditional onboarding process (certificates), they can register the "alternate method" which MAC caches their client MAC (which gets retained based on the database retention time set in CPPM insight).

 

My question is this, would there be any benefits or drawbacks from exclusively using the MAC caching method for everyone?    What would those pros and cons be specifically?

 

Thank you for the insight.

Sarah

Frequent Contributor II
Posts: 118
Registered: ‎02-10-2011

Re: TLS certificate vs. Mac Caching - BYOD Registration using CPPM

I don't consider mac caching and using the mac address as very secure. Mac addresses can be spoofed to gain access.  Hence I prefer the more secure certificate based approach you mentioned.  Just my preference.

 

Guru Elite
Posts: 8,793
Registered: ‎09-08-2010

Re: TLS certificate vs. Mac Caching - BYOD Registration using CPPM

Mostly security. Certificates are the golden standard for authentication. 

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor II
Posts: 118
Registered: ‎02-10-2011

Re: TLS certificate vs. Mac Caching - BYOD Registration using CPPM

Sarah,

 

On a side note I'm curious what issues you have seen in relation to devices not being able to support certificates.  I had tested apple iphones, ipads and android galaxy devices and they all onboarded with certificas fine.  It sounds like you came across other devices that don't support that onboarding method so you had to revert to mac address etc.  Can you elaborate please.   Thanks

SBS
Contributor II
Posts: 38
Registered: ‎11-04-2013

Re: TLS certificate vs. Mac Caching - BYOD Registration using CPPM

Thanks, here are some examples of certificate method not working:

 

The new kindle fires with the Silk browser won't register the certificate way.  Something with the Silk Browser must have changed from the older Fire devices which did work the certificate way.

I opened a case with TAC and they recommended downloading Google Chrome instead. 


Occasionally an android will ask for a storage credential password as part of the process. The user inputs their device pin, but it doesn't work, and the user is unaware of what the storage credential would be, says they never set one.

 

Another example is a windows phone 8, the certificate way isn't supported b/c something with the Windows software needing an update if I remember correctly.

 

With not maintaining the user devices, since it's BYOD, sometimes we don't have a clue what the device has been thru :) So we kind of use the alternate method as a catch all for those devices that can't be traditionally onboarded certificate way.

 

 

 

 

 

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: