Security

Hi,

I configured a new Onboarding service. All it's working fine, except for a detail about mac of devices.

I need to pass different vlan to android device, they are same category and also the user is the same, so I'm trying to use SHL for discriminate the device and the vlan.

It is working, but devices are configured to use dynamic mac addresses.

I tried to configure static, but it seems that it is not possible on ssid managed by quick connect.

Does anyone know how to set static mac address with quick connect?

Thanks

What is SHL?  What is the use-case for OnBoard?  Is there an MDM?  Can you integrate ClearPass with that instead?

Hi,

I configured a new Onboarding service. All it's working fine, except for a detail about mac of devices.

I need to pass different vlan to android device, they are same category and also the user is the same, so I'm trying to use SHL for discriminate the device and the vlan.

It is working, but devices are configured to use dynamic mac addresses.

I tried to configure static, but it seems that it is not possible on ssid managed by quick connect.

Does anyone know how to set static mac address with quick connect?

Thanks

Hi, 

Static host list (list of mac addresses in Clearpass).

The customer doesn't have an MDM, there are about 20 tablets...
Thanks

What is SHL?  What is the use-case for OnBoard?  Is there an MDM?  Can you integrate ClearPass with that instead?

Hi,

I configured a new Onboarding service. All it's working fine, except for a detail about mac of devices.

I need to pass different vlan to android device, they are same category and also the user is the same, so I'm trying to use SHL for discriminate the device and the vlan.

It is working, but devices are configured to use dynamic mac addresses.

I tried to configure static, but it seems that it is not possible on ssid managed by quick connect.

Does anyone know how to set static mac address with quick connect?

Thanks

Static host lists are a legacy feature and should no longer be used.  If there is no MDM how is the customer ensuring these tablets are up to date, not rooted, secure, etc?  What is the use-case for allowing these unmanaged tablets onto the protected corporate network.  

Hi, 

Static host list (list of mac addresses in Clearpass).

The customer doesn't have an MDM, there are about 20 tablets...
Thanks

What is SHL?  What is the use-case for OnBoard?  Is there an MDM?  Can you integrate ClearPass with that instead?

Hi,

I configured a new Onboarding service. All it's working fine, except for a detail about mac of devices.

I need to pass different vlan to android device, they are same category and also the user is the same, so I'm trying to use SHL for discriminate the device and the vlan.

It is working, but devices are configured to use dynamic mac addresses.

I tried to configure static, but it seems that it is not possible on ssid managed by quick connect.

Does anyone know how to set static mac address with quick connect?

Thanks

You are misunderstenting,

the feature used is OnBoarding, auth with certificate.
The use of SHL is only for differntiate two categories of tablet (unfortunatelly same model and same user, different behaviour).
The tablet are join a blocked vlan, with only a service enabled.
The point isn't the security, I don't want to discuss with che customer, he don't have mdm and don't wont to buy one.
He just want use onboarding to process tablet auth, and this is done.

The problem is to assign 2 different vlan, I'm using SHL to enforce the vlan, not for auth, I know I can use other features, but this is the rapid way for me to configure it. 

So, the problem is to set static mac in the ssid managed by "quick access". I can change settings in all other SSID, but not this one.

Thanks

Static host lists are a legacy feature and should no longer be used.  If there is no MDM how is the customer ensuring these tablets are up to date, not rooted, secure, etc?  What is the use-case for allowing these unmanaged tablets onto the protected corporate network.  

Hi, 

Static host list (list of mac addresses in Clearpass).

The customer doesn't have an MDM, there are about 20 tablets...
Thanks

What is SHL?  What is the use-case for OnBoard?  Is there an MDM?  Can you integrate ClearPass with that instead?

Hi,

I configured a new Onboarding service. All it's working fine, except for a detail about mac of devices.

I need to pass different vlan to android device, they are same category and also the user is the same, so I'm trying to use SHL for discriminate the device and the vlan.

It is working, but devices are configured to use dynamic mac addresses.

I tried to configure static, but it seems that it is not possible on ssid managed by quick connect.

Does anyone know how to set static mac address with quick connect?

Thanks

I'm not aware of a method to disable randomized MAC addresses with QuickConnect, and I'm not a big fan of authorizing based on the client MAC address.

One option that I once setup is that you can store the certificate serial number in the endpoint database, then query the endpoint database based on the certificate serial number and in my case fetch the role and vlan from the endpoint.

And this is how I query the endpoint database (using appexternal) by certificate serial number:

And this is the enforcement to store the certificate (do something like if Authorization:EndpointDB-vlan-role-by-certificate:role DOES NOT EXIST => Store-certificate-DN):

Hope this provides some idea to solve this...

Another option may be to have two different Onboarding CAs, and two onboarding flows, where you then can check on the certificate issuer to return different role/vlan to the two different groups of devices.

You are misunderstenting,

the feature used is OnBoarding, auth with certificate.
The use of SHL is only for differntiate two categories of tablet (unfortunatelly same model and same user, different behaviour).
The tablet are join a blocked vlan, with only a service enabled.
The point isn't the security, I don't want to discuss with che customer, he don't have mdm and don't wont to buy one.
He just want use onboarding to process tablet auth, and this is done.

The problem is to assign 2 different vlan, I'm using SHL to enforce the vlan, not for auth, I know I can use other features, but this is the rapid way for me to configure it. 

So, the problem is to set static mac in the ssid managed by "quick access". I can change settings in all other SSID, but not this one.

Thanks

Static host lists are a legacy feature and should no longer be used.  If there is no MDM how is the customer ensuring these tablets are up to date, not rooted, secure, etc?  What is the use-case for allowing these unmanaged tablets onto the protected corporate network.  

Hi, 

Static host list (list of mac addresses in Clearpass).

The customer doesn't have an MDM, there are about 20 tablets...
Thanks

What is SHL?  What is the use-case for OnBoard?  Is there an MDM?  Can you integrate ClearPass with that instead?

Hi,

I configured a new Onboarding service. All it's working fine, except for a detail about mac of devices.

I need to pass different vlan to android device, they are same category and also the user is the same, so I'm trying to use SHL for discriminate the device and the vlan.

It is working, but devices are configured to use dynamic mac addresses.

I tried to configure static, but it seems that it is not possible on ssid managed by quick connect.

Does anyone know how to set static mac address with quick connect?

Thanks

Hi Herman, the auth method is 802.1X, not mac.

But you have get what I need... I will try this way.

Thank you.

I'm not aware of a method to disable randomized MAC addresses with QuickConnect, and I'm not a big fan of authorizing based on the client MAC address.

One option that I once setup is that you can store the certificate serial number in the endpoint database, then query the endpoint database based on the certificate serial number and in my case fetch the role and vlan from the endpoint.

And this is how I query the endpoint database (using appexternal) by certificate serial number:

And this is the enforcement to store the certificate (do something like if Authorization:EndpointDB-vlan-role-by-certificate:role DOES NOT EXIST => Store-certificate-DN):

Hope this provides some idea to solve this...

Another option may be to have two different Onboarding CAs, and two onboarding flows, where you then can check on the certificate issuer to return different role/vlan to the two different groups of devices.

You are misunderstenting,

the feature used is OnBoarding, auth with certificate.
The use of SHL is only for differntiate two categories of tablet (unfortunatelly same model and same user, different behaviour).
The tablet are join a blocked vlan, with only a service enabled.
The point isn't the security, I don't want to discuss with che customer, he don't have mdm and don't wont to buy one.
He just want use onboarding to process tablet auth, and this is done.

The problem is to assign 2 different vlan, I'm using SHL to enforce the vlan, not for auth, I know I can use other features, but this is the rapid way for me to configure it. 

So, the problem is to set static mac in the ssid managed by "quick access". I can change settings in all other SSID, but not this one.

Thanks

Static host lists are a legacy feature and should no longer be used.  If there is no MDM how is the customer ensuring these tablets are up to date, not rooted, secure, etc?  What is the use-case for allowing these unmanaged tablets onto the protected corporate network.  

Hi, 

Static host list (list of mac addresses in Clearpass).

The customer doesn't have an MDM, there are about 20 tablets...
Thanks

What is SHL?  What is the use-case for OnBoard?  Is there an MDM?  Can you integrate ClearPass with that instead?

Hi,

I configured a new Onboarding service. All it's working fine, except for a detail about mac of devices.

I need to pass different vlan to android device, they are same category and also the user is the same, so I'm trying to use SHL for discriminate the device and the vlan.

It is working, but devices are configured to use dynamic mac addresses.

I tried to configure static, but it seems that it is not possible on ssid managed by quick connect.

Does anyone know how to set static mac address with quick connect?

Thanks