05-18-2016 05:56 AM
Hello, We have CPPM and use it for BYOD registration. We have 2 wifi networks: Registration and BYOD. A user associates to the Registration network and goes thru the process. If they have an IOS device they download a clearpass onboard profile certificate and then a device enrollment certificate. If they have an Android device they go to the play store and download the Aruba Clearpass quick connect which is then used to provision the device and install the certificates. They then join the BYOD network for communications.
If they have issues with the above registration process, or they are on a device that doesn't support the traditional onboarding process (certificates), they can register the "alternate method" which MAC caches their client MAC (which gets retained based on the database retention time set in CPPM insight).
My question is this, would there be any benefits or drawbacks from exclusively using the MAC caching method for everyone? What would those pros and cons be specifically?
Thank you for the insight.
05-18-2016 06:00 AM
I don't consider mac caching and using the mac address as very secure. Mac addresses can be spoofed to gain access. Hence I prefer the more secure certificate based approach you mentioned. Just my preference.
05-18-2016 06:02 AM
Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
05-19-2016 04:49 AM
On a side note I'm curious what issues you have seen in relation to devices not being able to support certificates. I had tested apple iphones, ipads and android galaxy devices and they all onboarded with certificas fine. It sounds like you came across other devices that don't support that onboarding method so you had to revert to mac address etc. Can you elaborate please. Thanks
05-19-2016 05:27 AM
Thanks, here are some examples of certificate method not working:
The new kindle fires with the Silk browser won't register the certificate way. Something with the Silk Browser must have changed from the older Fire devices which did work the certificate way.
I opened a case with TAC and they recommended downloading Google Chrome instead.
Occasionally an android will ask for a storage credential password as part of the process. The user inputs their device pin, but it doesn't work, and the user is unaware of what the storage credential would be, says they never set one.
Another example is a windows phone 8, the certificate way isn't supported b/c something with the Windows software needing an update if I remember correctly.
With not maintaining the user devices, since it's BYOD, sometimes we don't have a clue what the device has been thru :) So we kind of use the alternate method as a catch all for those devices that can't be traditionally onboarded certificate way.