Wireless Access

Reply
New Contributor
Posts: 2
Registered: ‎05-13-2013

Can VIA/Clearpass Restrict the clients users install VIA on?

We are looking for a solution to restrict users to installing and connecting from approved client devices.   Is there an option within VIA or a combination of VIA and Clearpass that could fill that need?

 

We don't want users to install/use the via client on their personal devices.

 

Thanks,

Allan

Aruba
Posts: 1,642
Registered: ‎04-13-2009

Re: Can VIA/Clearpass Restrict the clients users install VIA on?

Restricting the installation is difficult to do as anyone can download it from either Apple's or Google's respective app store; and obtaining the install for Windows or Mac is not too difficult either.     To prevent the download of a valid profile or authentication from unknown devices, you can consider the following:

 

- You can use ClearPass enforcement policies/profiles to return different Aruba roles to the controller or to deny access....however there needs to be something to differentiate the logon request from an "approved" system.   What types of devices are you allowing; domain PCs?  Company issues tablets?  Phones?     The key is finding something in the Radius request that you can use to validate this is an approved client device.....it can be as simple as a MAC address if you have a method of getting the list.

 

- You can consider using IKEv1 authentication for VIA.   In doing so, you can use certificates for the first phase of authentication; then username and password as the second.   You can then control what devices you allow to enroll for certificates, thus only allowing those to successfuly get to the second phase of authentication.

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

New Contributor
Posts: 2
Registered: ‎05-13-2013

Re: Can VIA/Clearpass Restrict the clients users install VIA on?

We would want to limit to domain computers, but also allow some people to be able to use iphone/ipad/android devices (company purchased or personal depending on the user)

 

We tried to look at the mac address, but in our POC test, via users all came back with 00:00:00:00:00:00  

 

I'll look into the IKEv1 auth.   How messy is the onboarding process then?

 

Thanks,

Allan

 

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: