Security

Hey everyone,
We have a working deployment of Clearpass (v6.9.4) with students able to register devices using the BYOD permission.

Students log in to CP guest and are presented with the page to add a device. They enter the mac and all, and they are given a receipt that also includes the MPSK password for that device. 

We are using this information with wired profiles on the controller to allow the device to work on the wires ports of the ap-505h in each room  
The same form/data is used to connect the device to the IOT ssid.

All good so far.


Two issues we find are:
1. Students can not edit/delete/remove devices that they have registered.  If they go to manage multiple devices, they can edit the activation, expiration time or change the type, but they can not delete the device or see the MPSK password that was assigned to their device.

At a minimum, they should be able to remove devices they registered as well as review the password that was assigned- or perhaps generate a new password for the device. 

currently they have to contact support and have one of the guys delete the device for them to re-register  

2. The password for the device should probably  be emailed to the student as part of the receipt. 

Can someone point me in the right direction for getting the permissions set for students to delete/view their device and either see the password/regenerate a new password or email the password to them when it's created?  Are there things I should be aware of regarding passwords for IOT devices? 

We much prefer this to an open ssid with MAC auth, and so far the students have been able to get connected with their devices. 

One bonus question- the expiration for the devices is 1 year by default. They can set the expiration date to a specific time, leave it blank, and it never expires. Students on the BYOD profile should not be able to do that. Can we condition the form to - if expiration is set to (blank) and the user is BYOD, then set the expiration to 1 week?

thanks!

Hey everyone,
We have a working deployment of Clearpass (v6.9.4) with students able to register devices using the BYOD permission.

Students log in to CP guest and are presented with the page to add a device. They enter the mac and all, and they are given a receipt that also includes the MPSK password for that device. 

We are using this information with wired profiles on the controller to allow the device to work on the wires ports of the ap-505h in each room  
The same form/data is used to connect the device to the IOT ssid.

All good so far.


Two issues we find are:
1. Students can not edit/delete/remove devices that they have registered.  If they go to manage multiple devices, they can edit the activation, expiration time or change the type, but they can not delete the device or see the MPSK password that was assigned to their device.

At a minimum, they should be able to remove devices they registered as well as review the password that was assigned- or perhaps generate a new password for the device. 

currently they have to contact support and have one of the guys delete the device for them to re-register  

2. The password for the device should probably  be emailed to the student as part of the receipt. 

Can someone point me in the right direction for getting the permissions set for students to delete/view their device and either see the password/regenerate a new password or email the password to them when it's created?  Are there things I should be aware of regarding passwords for IOT devices? 

We much prefer this to an open ssid with MAC auth, and so far the students have been able to get connected with their devices. 

One bonus question- the expiration for the devices is 1 year by default. They can set the expiration date to a specific time, leave it blank, and it never expires. Students on the BYOD profile should not be able to do that. Can we condition the form to - if expiration is set to (blank) and the user is BYOD, then set the expiration to 1 week?

thanks!