Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Two Factor Authentication With Mac Address Check

This thread has been viewed 2 times

  • 1.  Two Factor Authentication With Mac Address Check

    Posted Aug 27, 2014 07:43 AM

    Hi All,

     

    We are rolling out a new Wi-Fi network with 802.1x and PEAP. We are using CPPM and I have a profile built for the internal users so they will only get into their correct VLAN if they are Machine and User authenticated. However some of the execs have Macbooks and aren't on the domain. I was wondering how I would build a profile to check against the endpoint repository for the wireless mac address and if authorised there put them into the same VLAN as the Machine and User auth.


    To clarify

    Policy one - Machine Auth

                          User Auth            = Vlan 101

     

    Policy two - Mac auth

                         User auth           = Vlan 101

     

    I am just unsure of how to build policy two in CPPM


    Regards,

    Owen



  • 2.  RE: Two Factor Authentication With Mac Address Check
    Best Answer

    EMPLOYEE
    Posted Aug 27, 2014 08:03 AM

    Create a new custom attribute under Administration > Dictionaries > Attributes.


    Entitty: Endpoint

    Name: something like Corp-Owned, or Corp-Device

    Type: Boolean:

    Is Mandatory: No

    Allow Multiple: No

     

     

    Now in your enforcement policy, do something like this:

     

    corp-device.JPG

     

    You don't really need rule #3, but it can add extra "security".

     

     

    Now all you have to do is add that attribute to the appropriate endpoints in the endpoint database. If you have all of the MAC addresses available in a list, you can create a CSV that can be converted to an XML file and imported. Saves a lot of time.



  • 3.  RE: Two Factor Authentication With Mac Address Check

    Posted Aug 27, 2014 09:02 AM

    Hi Capalli,

     

    Many thanks for your suggestion that all makes really good sense. On the SSID this profile applies to do I need to add Mac authentication before 802.1x ? Also this service authenticates against an AD server, will I need to put the endpoint profile before it in the list of authorisation sources?

     

    Regards,

    Owen



  • 4.  RE: Two Factor Authentication With Mac Address Check

    EMPLOYEE
    Posted Aug 27, 2014 09:07 AM

    No need for MAC-auth on the controller. We're doing 802.1X with authorization based on a MAC address, so its all on the policy server side.


    Good catch with the authorization source. You will need to check the Authorization box on the main service page and then add the Endpoints Repository as a source on the Authorization tab.



  • 5.  RE: Two Factor Authentication With Mac Address Check

    Posted Aug 28, 2014 08:06 AM

    Hi Capalli,

     

    I have now tested that solution and it works perfectly. Many thanks for your help :)

     

    Regards,

     

    Owen