Security

Is it possible to have users authenticate through clearpass, which would then put a cert or token on their device for authentication? I'm looking to stop using Mac caching.

With all the changes from Apple, including rotating Mac addresses, and Microsoft saying they are going to do the same soon, I need to find a solution. I have been told that leaving the SSID open is NOT an option.

Is this to support a guest network?

------------------------------
Carson Hulcher, ACEX#110
------------------------------

Original Message:
Sent: Oct 30, 2024 08:34 AM
From: flagler_mike
Subject: Clearpass Authentication

Is it possible to have users authenticate through clearpass, which would then put a cert or token on their device for authentication? I'm looking to stop using Mac caching.

With all the changes from Apple, including rotating Mac addresses, and Microsoft saying they are going to do the same soon, I need to find a solution. I have been told that leaving the SSID open is NOT an option.

Yeah you can do this with OnBoard but DON'T.  BYOD from any NAC solution is very difficult to implement with mobile device vendors (correctly) continuing to lock down their operating systems for things like 3rd party certificate trust.  

The solution is to enroll these devices into an MDM solution.  Use said MDM to push certificates to the devices and configure the supplicant.  Use ClearPass to authenticate them with EAP-TLS and integrate said MDM into ClearPass. 

Original Message:
Sent: Oct 30, 2024 08:34 AM
From: flagler_mike
Subject: Clearpass Authentication

Is it possible to have users authenticate through clearpass, which would then put a cert or token on their device for authentication? I'm looking to stop using Mac caching.

With all the changes from Apple, including rotating Mac addresses, and Microsoft saying they are going to do the same soon, I need to find a solution. I have been told that leaving the SSID open is NOT an option.

It is highly recommended that for users/devices which can do 802.1x to perform EAP-TLS or any other more advanced authentication process.

MAC Authentication is not considered a wise authentication process due to the fact that there are possibilities of MAC Address Spoofing and three are no encryption or additional security layers , it is vulnerable to man-in-the-middle attacks, and more.

So for corporate devices, there are different types of authentication, apart from MAC-Auth.

If you have the case for Guest Network, you can use Captive Portal with OAuth and/or SMS Registry (OTP), because if somebody connects to your network, i suppose, you would need to have some information to track back the device identity (or the person) if there is something going "wrong" from your network towards a targeted security attack somewhere.

------------------------------
Shpat | ACEP | ACMP | ACCP | ACDP |
-Just an Aruba enthusiast and contributor by cases-
------------------------------

Original Message:
Sent: Oct 30, 2024 08:34 AM
From: flagler_mike
Subject: Clearpass Authentication

Is it possible to have users authenticate through clearpass, which would then put a cert or token on their device for authentication? I'm looking to stop using Mac caching.

With all the changes from Apple, including rotating Mac addresses, and Microsoft saying they are going to do the same soon, I need to find a solution. I have been told that leaving the SSID open is NOT an option.