Hey that Clearpass Jamf Pro Extension works great. I've got all sorts of attributes in my endpoints now. I've got it working with Employee and Student TIPS roles now. Could easily add more with Jamf groups or departments. Problem solved!
Original Message:
Sent: May 16, 2023 01:55 PM
From: OESTech
Subject: Help with the best authentication method for school
I'm reading about this now. https://support.hpe.com/hpesc/public/docDisplay?docId=a00126745en_us. This looks promising as I can download Jamf Pro MDM attributes into the Clearpass Endpoint database. Then I can do role mapping. Then I could connect both the Employee and Students to one SSID.
Original Message:
Sent: May 15, 2023 02:39 PM
From: ahollifield
Subject: Help with the best authentication method for school
Do you have the MDM integrated with ClearPass? This should be able to pass a group attribute into ClearPass you can use.
Original Message:
Sent: May 15, 2023 01:38 PM
From: OESTech
Subject: Help with the best authentication method for school
Hi All,
I've been spending the last few days testing how to connect my users to the Wi-Fi in a more efficient way. My goal is to get a large group of people connected, with the least amount of SSID. Like many organizations we have different people who will fall under different roles. The biggest roles are MDM-managed Employees, MDM-managed students, unmanaged-BYOD users, and guests. Our managed devices are mostly macOS and iOS devices, but we also have some Windows and Chrome devices. Users have Google Workspace and Active directory accounts. For Infrastructure we use Clearpass, Aruba wireless, Active directory and AD CS.
I'd also like to point out that the roles users will receive is mostly VLAN-based for web content filtering for students vs. employees. We are really just providing Internet access as most of our services are cloud-based. We will use some ACLs in the Aruba wireless, but we are not protecting much Intranet data.
I know how to enroll macOS and iOS devices with 'computer' certificates. I can do this in the MDM using SCEP. The certificate the device received really only has the CN which we assign the computer name or serial number. Windows devices on the other hand can easily get computer and user certificates via Active directory.
So with just a machine certificate I'm having a hard time differentiating between a student MDM-managed MacBook and an employee MDM-managed MacBook. Since the only attribute I get back in Clearpass is the Common name.
How would you handle this? I've been working on making one SSID for MDM-managed Employee and student devices. I was thinking the service could have a default role of "Student" when the device is machine authenticated only. That way students wouldn't have to worry about Wi-Fi at all. Employees might have to do some kind of additional authentication to get other roles.