Security

last person joined: an hour ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Designated Devices Get an Exclusive Role - Clearpass, Controllers, Certs....

  • 1.  Designated Devices Get an Exclusive Role - Clearpass, Controllers, Certs....

    Posted Jul 29, 2015 11:31 AM

    Hello, thank you in advance...I'm in over my head here.  We have two Aruba 7210 controllers (master/local) plus one Clearpass VM with only the following clearpass licenses:

     

    clearpasslicenses.PNG

    We have a wifi SSID set up with WPA2-AES and 802.1x and users sign on to the wifi SSID using their Active Directory username and password.  It works ok.  We also have windows active directory computers signing on to the wifi and authenticating as a computer and that seems to work ok.  The problem is how do we do this same type of machine authentication for android, iphone, apple and other devices?  I know we could do mac-address authentication but I'm trying to avoid that.  Basically what we are trying to accomplish is this:

    • If userA signs on to the wifi while on a managed, company-owned device then they get this "corp" role.
    • If userA signs on to the wifi while on their personal device they get a "guest" role.

    I'm not sure how to enforce machine authentication on non-windows devices.  I also noticed my android phone doesn't even attempt machine authentication, only user.  So it further muddies the water.  I looked into EAP-TLS and putting certs on the devices but there's a deluge of info out there and not so many  real-world tutorials of how to set this up using Active Directory, Clearpass and Aruba controllers.  Any help would be appreciated, thanks.

     


    #7210


  • 2.  RE: Designated Devices Get an Exclusive Role - Clearpass, Controllers, Certs....

    Posted Jul 29, 2015 11:33 AM
    Are you working with an Aruba ClearPass partner? This is a pretty involved configuration.

    Only Windows machines joined to a domain can machine auth (although there are some workarounds for Mac OS).



    Thanks,
    Tim


  • 3.  RE: Designated Devices Get an Exclusive Role - Clearpass, Controllers, Certs....

    Posted Jul 29, 2015 11:36 AM

    We bought all our Aruba gear (a ton!) from CDW....I'm thinking we may need to hire them or something....thanks.



  • 4.  RE: Designated Devices Get an Exclusive Role - Clearpass, Controllers, Certs....

    Posted Jul 29, 2015 12:59 PM
    If you are not familiar with ClearPass, it would be best to work with a partner. There are a lot of design discussions that need to happen prior to setting all of this up.