Security

last person joined: yesterday 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

CPPM device registration details, receipt for BYOD users

  • 1.  CPPM device registration details, receipt for BYOD users

    Posted Jan 14, 2021 06:46 PM

    Hey everyone,
    We have a working deployment of Clearpass (v6.9.4) with students able to register devices using the BYOD permission.

    Students log in to CP guest and are presented with the page to add a device. They enter the mac and all, and they are given a receipt that also includes the MPSK password for that device. 

    We are using this information with wired profiles on the controller to allow the device to work on the wires ports of the ap-505h in each room  
    The same form/data is used to connect the device to the IOT ssid.

    All good so far.


    Two issues we find are:
    1. Students can not edit/delete/remove devices that they have registered.  If they go to manage multiple devices, they can edit the activation, expiration time or change the type, but they can not delete the device or see the MPSK password that was assigned to their device.


    At a minimum, they should be able to remove devices they registered as well as review the password that was assigned- or perhaps generate a new password for the device. 

    currently they have to contact support and have one of the guys delete the device for them to re-register  

    2. The password for the device should probably  be emailed to the student as part of the receipt. 


    Can someone point me in the right direction for getting the permissions set for students to delete/view their device and either see the password/regenerate a new password or email the password to them when it's created?  Are there things I should be aware of regarding passwords for IOT devices? 

    We much prefer this to an open ssid with MAC auth, and so far the students have been able to get connected with their devices. 


    One bonus question- the expiration for the devices is 1 year by default. They can set the expiration date to a specific time, leave it blank, and it never expires. Students on the BYOD profile should not be able to do that. Can we condition the form to - if expiration is set to (blank) and the user is BYOD, then set the expiration to 1 week?

    thanks!



    ------------------------------
    Phillip Horn
    ------------------------------


  • 2.  RE: CPPM device registration details, receipt for BYOD users

    Posted Jan 15, 2021 12:48 PM
    The default MPSK configuration, using the wizard under Aruba Integrations in Guest, will email the MPSK to the user, assuming the email address is provided during the portal login. Did you use the wizard?

    ------------------------------
    Tim C
    ------------------------------



  • 3.  RE: CPPM device registration details, receipt for BYOD users

    Posted Jan 15, 2021 05:28 PM
    I think I used the wizard. I used the guide posted here in the forum and I'm pretty sure it said to do the wizard. 
    The email addresses are there for the students, but I'm not seeing any emails go through. I'll verify that the system is sending mail again, as that has broken before. 

    Thanks,
    Phillip
    Network and System Engineer 

    Sent from my phone.