Security

 View Only
  • 1.  ClearPass NAC and hoteling space

    Posted Jul 02, 2024 05:53 PM

    Hi all,

     

    I'm wondering how everyone handles onboarding their clients to wired 802.1X networks.  Specifically, we are seeing the growth of hoteling and open office style buildings that have static docking stations set up for users to walk in, find their spaces, and connect their USB-C ports for monitors and networking.

     

    We are using ClearPass NAC in combination with 802.1X (PEAP) and captive portal (MAC Auth) authentication methods.  The issue we are seeing is that if the devices don't have 802.1X enabled (i.e., Windows), users will be redirected to our captive portal for authentication.  However, on the ClearPass side, it will see the docking stations' MAC addresses, causing user tracking problems.  Also, Windows tends to store the 802.1X settings at the NIC / adapter level, which is troublesome and requires our users to reconfigure their 802.1X settings every time they switch their workstation.

     

    Any insights are welcome!

     

    Jason



  • 2.  RE: ClearPass NAC and hoteling space

    Posted Jul 03, 2024 03:07 AM

    Hi Jason

    802.1x works best with managed devices where you can configure all the settings in the 802.x profile with a GPO if the computers are members of an Active Directory, or Intune or another MDM tool. Also deliver certificates to the computers the same way.

    A combination of non managed computers and 802.1x will in most cases not work good as you describe.

    If I understand your question right the computers authenticating in your environment isn't managed as they doesn't belong to the same organization, but from several smaller companies sharing desks in an office hotel. Is this correct?

    One option to solve the configuration of the clients and certificate distribution is to utilize ClearPass Onboard.

    Also, do the clients need to be wired? In this type of office space wireless only often be a good alternative instead of the hassle with docking stations.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 3.  RE: ClearPass NAC and hoteling space

    Posted Jul 03, 2024 12:20 PM

    Hi Jonas,

    That's right-our environment (University) has a mix of managed and BYOD (i.e., students, staff, and guests) devices. Even on the managed devices side, some are not managed centrally but by their departmental ADs.

    It makes sense to move them to Wi-Fi only, but there are underlying security requirements preventing this from happening until we move over to role-based access.


    Jason




  • 4.  RE: ClearPass NAC and hoteling space

    Posted Jul 04, 2024 02:13 AM

    What about an MDM?




  • 5.  RE: ClearPass NAC and hoteling space

    Posted Jul 08, 2024 10:29 AM

    This is strictly your opinion.

    We have used ClearPass with 802.1X since Aruba purchased Avenda eTIPS.

    The vast majority of the devices in our Higher Education environment are unmanaged and have worked well. We started using PEAP-MSCHAPv2. For the past year, our unmanaged devices are using EAP-TLS, onboarding with a cloud vendor solution.I would expect ClearPass Onboard could have been ussed but we chose a different path.



    ------------------------------
    Bruce Osborne ACCP ACMP
    Liberty University

    The views expressed here are my personal views and not those of my employer
    ------------------------------