08-27-2014 04:43 AM
We are rolling out a new Wi-Fi network with 802.1x and PEAP. We are using CPPM and I have a profile built for the internal users so they will only get into their correct VLAN if they are Machine and User authenticated. However some of the execs have Macbooks and aren't on the domain. I was wondering how I would build a profile to check against the endpoint repository for the wireless mac address and if authorised there put them into the same VLAN as the Machine and User auth.
Policy one - Machine Auth
User Auth = Vlan 101
Policy two - Mac auth
User auth = Vlan 101
I am just unsure of how to build policy two in CPPM
Solved! Go to Solution.
08-27-2014 05:03 AM - edited 08-27-2014 05:06 AM
Create a new custom attribute under Administration > Dictionaries > Attributes.
Name: something like Corp-Owned, or Corp-Device
Is Mandatory: No
Allow Multiple: No
Now in your enforcement policy, do something like this:
You don't really need rule #3, but it can add extra "security".
Now all you have to do is add that attribute to the appropriate endpoints in the endpoint database. If you have all of the MAC addresses available in a list, you can create a CSV that can be converted to an XML file and imported. Saves a lot of time.
08-27-2014 06:02 AM
Many thanks for your suggestion that all makes really good sense. On the SSID this profile applies to do I need to add Mac authentication before 802.1x ? Also this service authenticates against an AD server, will I need to put the endpoint profile before it in the list of authorisation sources?
08-27-2014 06:07 AM
No need for MAC-auth on the controller. We're doing 802.1X with authorization based on a MAC address, so its all on the policy server side.
Good catch with the authorization source. You will need to check the Authorization box on the main service page and then add the Endpoints Repository as a source on the Authorization tab.