Wireless Access

Reply
Contributor II
Posts: 58
Registered: ‎02-23-2015

When a device connects the first time and gets fingerprinted and mac-cached, will it be ...

When a device connects the first time and it gets fingerprinted and mac-cached on clearpass, will it be fingerprinted again the next time it connects?

 

We want our game console clients to bypass captive portal and self registration but we are concerned on mac-spoofing. We are afraid that if a client connects is game console, turns it off, then spoof the mac using a laptop --- and since it is mac-cached initially, will clearpass be fooled?

 

Will clearpass fingerprint ever time a device connects or it will not fingerprint a device that is already mac-cached.

 

Thanky ou.

Guru Elite
Posts: 8,325
Registered: ‎09-08-2010

Re: When a device connects the first time and gets fingerprinted and mac-cached, will it be ...

If the device sends a DHCP discover, yes. If the category profile changes,
the conflict attribute will be triggered. You can write policy that denies
devices with the conflict attribute.



Are you using the device registration portal (guest device repository)?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor II
Posts: 58
Registered: ‎02-23-2015

Re: When a device connects the first time and gets fingerprinted and mac-cached, will it be ...

We haven't implemented anything yet except for Guest users going through a captive portal to connect their phones, tablet, laptop etc. This is using [Guest User Repository] if I am not mistaken.

 

We are trying to accomodate video game consoles since most of these have no web browser to go through the captive porta. We are thinking that these game console will skip the captive portal instead and connect automatically (using the same SSID).

 

So we expect that clearpass will fingerprint it and let it connect but it is just that we are concerned about mac-spoofing. We want to make sure these are real video game consoles.

Guru Elite
Posts: 8,325
Registered: ‎09-08-2010

Re: When a device connects the first time and gets fingerprinted and mac-cached, will it be ...

Do you want users to register their gaming and media devices so you have a
record of them or just let them on?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor II
Posts: 58
Registered: ‎02-23-2015

Re: When a device connects the first time and gets fingerprinted and mac-cached, will it be ...

Yes, we initially want that clients to register their own gaming console but it seems to be more complicated than we expected (unless there's an easy way). If possible, we want to be able to identify a device and points it to a registered client . However, the leadership want clients to be self serving as much as possible and not to involve another staff or receptionist just to register clients gaming consoles.

 

Anyway right now, we are looking for the best cleapass+gaming console setup that suits our needs. We are open to suggestions.

 

Thank you.

Guru Elite
Posts: 8,325
Registered: ‎09-08-2010

Re: When a device connects the first time and gets fingerprinted and mac-cached, will it be ...

I’d recommend using the device registration portal to allow users to register their own device. It’s designed for headless devices like game consoles, printers, media players, etc.

 

The forms can be completely customized to hide or add whichever fields you want. By default, it will automatically register the device to the user who logs into the portal.

 

student-dev-reg-sample.PNG


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor II
Posts: 58
Registered: ‎02-23-2015

Re: When a device connects the first time and gets fingerprinted and mac-cached, will it be ...

Isn't it that this method is to turn each and every student an operator themselves with just the 'registerd a device' option?

 

I think in order to do this, we have to connect LDAP to clearpass since clearpass itself cannot use our RADIUS server.

 

If not please direct me to where I can read more about this.

Contributor II
Posts: 58
Registered: ‎02-23-2015

Re: When a device connects the first time and gets fingerprinted and mac-cached, will it be ...

Hi Tim,

 

After getting a device registered here, how often will still get fingerprinted? 

uqa63A2[1].png

Search Airheads
Showing results for 
Search instead for 
Did you mean: