Security

 View Only
  • 1.  Clearpass MPSK device groups and dynamic vlan?

    Posted Sep 30, 2024 02:30 AM

    Hi

    I want to start using mpsk for some 3 party devices that can only use psk as auth method, and i also want to give these devices their own vlan back.

    I looked into MSPK and it seems to be the way to do this, but it seems that i have to register all the devices in Clearpass? Is there an way to do mac prefix instead of register 600 devices?
    So if device has mac prefix 03:2d:12: and uses psk ***** then clearpass should auth the device and send the correct vlan for that device group back to the ap.



  • 2.  RE: Clearpass MPSK device groups and dynamic vlan?

    Posted Sep 30, 2024 08:59 AM

    Absolutely. You can match basd on the OUI and assign a random MPSK password to use for the devices. ClearPass will not allow you to manually generate them, but you can set the randomization rules in the guest module of clearpass (see below)



    ------------------------------
    Dustin Burns

    Lead Mobility Engineer @Worldcom Exchange, Inc.

    ACCX 1271| ACMX 509| ACSP | ACDA | MVP Guru 2022-2023
    If my post was useful accept solution and/or give kudos
    ------------------------------



  • 3.  RE: Clearpass MPSK device groups and dynamic vlan?

    Posted Sep 30, 2024 11:01 AM

    https://www.adamhollifield.com/2022/09/clearpass-mpsk-per-device-type-with.html




  • 4.  RE: Clearpass MPSK device groups and dynamic vlan?

    Posted Oct 02, 2024 08:23 AM

    This looks great, currently not using a MC, but IAP, do i need to also send dhcp requests?




  • 5.  RE: Clearpass MPSK device groups and dynamic vlan?

    Posted Oct 02, 2024 11:38 AM
    Yes, you need someway to get that profiling data into ClearPass. Doesn’t have to be DHCP but that’s typically the most valuable probe. You of course can also just use static MAC assignment in the guest repository for example but that’s less scalable and less secure than using profiling.




  • 6.  RE: Clearpass MPSK device groups and dynamic vlan?

    Posted Oct 03, 2024 02:50 AM

    I did try to set clearpass as authsource without finishing the mpsk setup and just to see what info clearpass would get from the devices, i already can see alot info about the device, like vendour oui etc. is that enough?




  • 7.  RE: Clearpass MPSK device groups and dynamic vlan?

    Posted Oct 03, 2024 03:38 AM

    As @ahollifield describes in his linked blog post you can utilize the MAC Vendor information, also without DHCP profiling. He utilize the additional information from the profiling to make sure the device is aslo the expected type. Not just any device from HP but also checking it's a printer.

    In the described setup any device from a given vendor is accepted at first, get profiled, and forced to do a new authentication after a dynamic authorization. In the second authentication ClearPass has the profiling information and only the allowed device type from the given vendor is accepted.

    So if you have a vendor and only one device type from this vendor you may not need to do the profiling. Could be Crestron for video conference system or Humbly for booking panels etc.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 8.  RE: Clearpass MPSK device groups and dynamic vlan?

    Posted Oct 03, 2024 11:14 AM
    Vendor OUI can easily be spoofed by an attacker.