05-13-2013 12:35 PM
We are looking for a solution to restrict users to installing and connecting from approved client devices. Is there an option within VIA or a combination of VIA and Clearpass that could fill that need?
We don't want users to install/use the via client on their personal devices.
05-14-2013 06:47 PM
Restricting the installation is difficult to do as anyone can download it from either Apple's or Google's respective app store; and obtaining the install for Windows or Mac is not too difficult either. To prevent the download of a valid profile or authentication from unknown devices, you can consider the following:
- You can use ClearPass enforcement policies/profiles to return different Aruba roles to the controller or to deny access....however there needs to be something to differentiate the logon request from an "approved" system. What types of devices are you allowing; domain PCs? Company issues tablets? Phones? The key is finding something in the Radius request that you can use to validate this is an approved client device.....it can be as simple as a MAC address if you have a method of getting the list.
- You can consider using IKEv1 authentication for VIA. In doing so, you can use certificates for the first phase of authentication; then username and password as the second. You can then control what devices you allow to enroll for certificates, thus only allowing those to successfuly get to the second phase of authentication.
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX
05-15-2013 11:45 AM
We would want to limit to domain computers, but also allow some people to be able to use iphone/ipad/android devices (company purchased or personal depending on the user)
We tried to look at the mac address, but in our POC test, via users all came back with 00:00:00:00:00:00
I'll look into the IKEv1 auth. How messy is the onboarding process then?