Security

Reply
Occasional Contributor I
Posts: 9
Registered: ‎08-05-2014

Two Factor Authentication With Mac Address Check

Hi All,

 

We are rolling out a new Wi-Fi network with 802.1x and PEAP. We are using CPPM and I have a profile built for the internal users so they will only get into their correct VLAN if they are Machine and User authenticated. However some of the execs have Macbooks and aren't on the domain. I was wondering how I would build a profile to check against the endpoint repository for the wireless mac address and if authorised there put them into the same VLAN as the Machine and User auth.


To clarify

Policy one - Machine Auth

                      User Auth            = Vlan 101

 

Policy two - Mac auth

                     User auth           = Vlan 101

 

I am just unsure of how to build policy two in CPPM


Regards,

Owen

Guru Elite
Posts: 8,456
Registered: ‎09-08-2010

Re: Two Factor Authentication With Mac Address Check

[ Edited ]

Create a new custom attribute under Administration > Dictionaries > Attributes.


Entitty: Endpoint

Name: something like Corp-Owned, or Corp-Device

Type: Boolean:

Is Mandatory: No

Allow Multiple: No

 

 

Now in your enforcement policy, do something like this:

 

corp-device.JPG

 

You don't really need rule #3, but it can add extra "security".

 

 

Now all you have to do is add that attribute to the appropriate endpoints in the endpoint database. If you have all of the MAC addresses available in a list, you can create a CSV that can be converted to an XML file and imported. Saves a lot of time.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I
Posts: 9
Registered: ‎08-05-2014

Re: Two Factor Authentication With Mac Address Check

Hi Capalli,

 

Many thanks for your suggestion that all makes really good sense. On the SSID this profile applies to do I need to add Mac authentication before 802.1x ? Also this service authenticates against an AD server, will I need to put the endpoint profile before it in the list of authorisation sources?

 

Regards,

Owen

Guru Elite
Posts: 8,456
Registered: ‎09-08-2010

Re: Two Factor Authentication With Mac Address Check

No need for MAC-auth on the controller. We're doing 802.1X with authorization based on a MAC address, so its all on the policy server side.


Good catch with the authorization source. You will need to check the Authorization box on the main service page and then add the Endpoints Repository as a source on the Authorization tab.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I
Posts: 9
Registered: ‎08-05-2014

Re: Two Factor Authentication With Mac Address Check

Hi Capalli,

 

I have now tested that solution and it works perfectly. Many thanks for your help :)

 

Regards,

 

Owen

Search Airheads
Showing results for 
Search instead for 
Did you mean: