Security

Hello all,

I am new to the wired auth side of things (been using Clearpass for wireless auth for a while now) and I am running into a small issue. Here's some insight into our environment and what I am trying to accomplish.

We have two VLANs: 

-Untrusted VLAN (any device that is not managed by us or is not receiving a cert to auth. SCCM servers are available for PXE imaging, but otherwise no internal access)
-Trusted VLAN (staff/admin devices, using a cert to auth)

Currently, we get a new device in and we connect it to the network, and the device is place on the untrusted VLAN using MAB as it is out of the box with no config or cert to auth or anything. We PXE boot and kick off the imaging process, which fails at the task in which it tries to join it to the domain (which is expected as we don't have DCs available on that VLAN yet). I really don't want to expose our DCs on this VLAN with the SCCM server, but I see no other option...We have several buildings so using a single spot for imaging is not ideal, neither is importing the MAC addresses of all our devices. Is there a way for Clearpass to identify a device that is PXE booting and I can assign a "PXE Machine" role to allow it onto the Trusted network in order to finish the imaging process and connect to AD?

Or if there is another way that someone is using today, I am all ears.

Thanks!

------------------------------
------------------------------

Hi,

if not already done you can forward dhcp requests to your CPPM to do device profiling.
Once ClearPass receives the dhcp requests it will identify the PXE Devices as "Network Boot Agent" and you can use this to apply Roles to it.

Best Regards
Martin

------------------------------
Martin Reher
------------------------------

Original Message:
Sent: Jan 26, 2022 05:58 PM
From: Zack Shore
Subject: PXE Booting and Clearpass

Hello all,

I am new to the wired auth side of things (been using Clearpass for wireless auth for a while now) and I am running into a small issue. Here's some insight into our environment and what I am trying to accomplish.

We have two VLANs: 

-Untrusted VLAN (any device that is not managed by us or is not receiving a cert to auth. SCCM servers are available for PXE imaging, but otherwise no internal access)
-Trusted VLAN (staff/admin devices, using a cert to auth)

Currently, we get a new device in and we connect it to the network, and the device is place on the untrusted VLAN using MAB as it is out of the box with no config or cert to auth or anything. We PXE boot and kick off the imaging process, which fails at the task in which it tries to join it to the domain (which is expected as we don't have DCs available on that VLAN yet). I really don't want to expose our DCs on this VLAN with the SCCM server, but I see no other option...We have several buildings so using a single spot for imaging is not ideal, neither is importing the MAC addresses of all our devices. Is there a way for Clearpass to identify a device that is PXE booting and I can assign a "PXE Machine" role to allow it onto the Trusted network in order to finish the imaging process and connect to AD?

Or if there is another way that someone is using today, I am all ears.

Thanks!

------------------------------
------------------------------

Hi Martin, thank you for that idea. 

If I do that does that mean all clients will now reach out to Clearpass for DHCP?

Original Message:
Sent: Jan 27, 2022 02:13 AM
From: Martin Reher
Subject: PXE Booting and Clearpass

Hi,

if not already done you can forward dhcp requests to your CPPM to do device profiling.
Once ClearPass receives the dhcp requests it will identify the PXE Devices as "Network Boot Agent" and you can use this to apply Roles to it.

Best Regards
Martin

------------------------------
Martin Reher

Original Message:
Sent: Jan 26, 2022 05:58 PM
From: Zack Shore
Subject: PXE Booting and Clearpass

Hello all,

I am new to the wired auth side of things (been using Clearpass for wireless auth for a while now) and I am running into a small issue. Here's some insight into our environment and what I am trying to accomplish.

We have two VLANs: 

-Untrusted VLAN (any device that is not managed by us or is not receiving a cert to auth. SCCM servers are available for PXE imaging, but otherwise no internal access)
-Trusted VLAN (staff/admin devices, using a cert to auth)

Currently, we get a new device in and we connect it to the network, and the device is place on the untrusted VLAN using MAB as it is out of the box with no config or cert to auth or anything. We PXE boot and kick off the imaging process, which fails at the task in which it tries to join it to the domain (which is expected as we don't have DCs available on that VLAN yet). I really don't want to expose our DCs on this VLAN with the SCCM server, but I see no other option...We have several buildings so using a single spot for imaging is not ideal, neither is importing the MAC addresses of all our devices. Is there a way for Clearpass to identify a device that is PXE booting and I can assign a "PXE Machine" role to allow it onto the Trusted network in order to finish the imaging process and connect to AD?

Or if there is another way that someone is using today, I am all ears.

Thanks!

------------------------------
------------------------------

ClearPass is only listening to dhcp but not replying. You just need to setup dhcp relays in your infrastructure.

------------------------------
Martin Reher
------------------------------

Original Message:
Sent: Jan 27, 2022 02:25 AM
From: Zack Shore
Subject: PXE Booting and Clearpass

Hi Martin, thank you for that idea. 

If I do that does that mean all clients will now reach out to Clearpass for DHCP?

Original Message:
Sent: Jan 27, 2022 02:13 AM
From: Martin Reher
Subject: PXE Booting and Clearpass

Hi,

if not already done you can forward dhcp requests to your CPPM to do device profiling.
Once ClearPass receives the dhcp requests it will identify the PXE Devices as "Network Boot Agent" and you can use this to apply Roles to it.

Best Regards
Martin

------------------------------
Martin Reher

Original Message:
Sent: Jan 26, 2022 05:58 PM
From: Zack Shore
Subject: PXE Booting and Clearpass

Hello all,

I am new to the wired auth side of things (been using Clearpass for wireless auth for a while now) and I am running into a small issue. Here's some insight into our environment and what I am trying to accomplish.

We have two VLANs: 

-Untrusted VLAN (any device that is not managed by us or is not receiving a cert to auth. SCCM servers are available for PXE imaging, but otherwise no internal access)
-Trusted VLAN (staff/admin devices, using a cert to auth)

Currently, we get a new device in and we connect it to the network, and the device is place on the untrusted VLAN using MAB as it is out of the box with no config or cert to auth or anything. We PXE boot and kick off the imaging process, which fails at the task in which it tries to join it to the domain (which is expected as we don't have DCs available on that VLAN yet). I really don't want to expose our DCs on this VLAN with the SCCM server, but I see no other option...We have several buildings so using a single spot for imaging is not ideal, neither is importing the MAC addresses of all our devices. Is there a way for Clearpass to identify a device that is PXE booting and I can assign a "PXE Machine" role to allow it onto the Trusted network in order to finish the imaging process and connect to AD?

Or if there is another way that someone is using today, I am all ears.

Thanks!

------------------------------
------------------------------

Hi,

No, ClearPass only acts as a DHCP “sink” it looks at there dhcp options to determine what type of device it is. It does not have the functionality to act as a doc server and hand out ip addresses. That task is still performed by your usual DHCP server

A


Original Message:
Sent: 1/27/2022 2:31:00 AM
From: martin_r
Subject: RE: PXE Booting and Clearpass

ClearPass is only listening to dhcp but not replying. You just need to setup dhcp relays in your infrastructure.

------------------------------
Martin Reher
------------------------------

Original Message:
Sent: Jan 27, 2022 02:25 AM
From: Zack Shore
Subject: PXE Booting and Clearpass

Hi Martin, thank you for that idea. 

If I do that does that mean all clients will now reach out to Clearpass for DHCP?

Original Message:
Sent: Jan 27, 2022 02:13 AM
From: Martin Reher
Subject: PXE Booting and Clearpass

Hi,

if not already done you can forward dhcp requests to your CPPM to do device profiling.
Once ClearPass receives the dhcp requests it will identify the PXE Devices as "Network Boot Agent" and you can use this to apply Roles to it.

Best Regards
Martin

------------------------------
Martin Reher

Original Message:
Sent: Jan 26, 2022 05:58 PM
From: Zack Shore
Subject: PXE Booting and Clearpass

Hello all,

I am new to the wired auth side of things (been using Clearpass for wireless auth for a while now) and I am running into a small issue. Here's some insight into our environment and what I am trying to accomplish.

We have two VLANs: 

-Untrusted VLAN (any device that is not managed by us or is not receiving a cert to auth. SCCM servers are available for PXE imaging, but otherwise no internal access)
-Trusted VLAN (staff/admin devices, using a cert to auth)

Currently, we get a new device in and we connect it to the network, and the device is place on the untrusted VLAN using MAB as it is out of the box with no config or cert to auth or anything. We PXE boot and kick off the imaging process, which fails at the task in which it tries to join it to the domain (which is expected as we don't have DCs available on that VLAN yet). I really don't want to expose our DCs on this VLAN with the SCCM server, but I see no other option...We have several buildings so using a single spot for imaging is not ideal, neither is importing the MAC addresses of all our devices. Is there a way for Clearpass to identify a device that is PXE booting and I can assign a "PXE Machine" role to allow it onto the Trusted network in order to finish the imaging process and connect to AD?

Or if there is another way that someone is using today, I am all ears.

Thanks!

------------------------------
------------------------------