Security

 View Only
last person joined: 16 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Help with the best authentication method for school

This thread has been viewed 33 times
  • 1.  Help with the best authentication method for school

    Posted May 15, 2023 01:39 PM

    Hi All,

    I've been spending the last few days testing how to connect my users to the Wi-Fi in a more efficient way.  My goal is to get a large group of people connected, with the least amount of SSID.  Like many organizations we have different people who will fall under different roles.  The biggest roles are MDM-managed Employees, MDM-managed students, unmanaged-BYOD users, and guests.  Our managed devices are mostly macOS and iOS devices, but we also have some Windows and Chrome devices.  Users have Google Workspace and Active directory accounts.  For Infrastructure we use Clearpass, Aruba wireless, Active directory and AD CS.

    I'd also like to point out that the roles users will receive is mostly VLAN-based for web content filtering for students vs. employees.  We are really just providing Internet access as most of our services are cloud-based.  We will use some ACLs in the Aruba wireless, but we are not protecting much Intranet data.

    I know how to enroll macOS and iOS devices with 'computer' certificates.  I can do this in the MDM using SCEP.  The certificate the device received really only has the CN which we assign the computer name or serial number.  Windows devices on the other hand can easily get computer and user certificates via Active directory.

    So with just a machine certificate I'm having a hard time differentiating between a student MDM-managed MacBook and an employee MDM-managed MacBook.  Since the only attribute I get back in Clearpass is the Common name.

    How would you handle this?  I've been working on making one SSID for MDM-managed Employee and student devices.  I was thinking the service could have a default role of "Student" when the device is machine authenticated only.  That way students wouldn't have to worry about Wi-Fi at all.  Employees might have to do some kind of additional authentication to get other roles.




  • 2.  RE: Help with the best authentication method for school
    Best Answer

    Posted May 15, 2023 02:40 PM

    Do you have the MDM integrated with ClearPass?  This should be able to pass a group attribute into ClearPass you can use.  




  • 3.  RE: Help with the best authentication method for school

    Posted May 16, 2023 01:56 PM

    I'm reading about this now.  https://support.hpe.com/hpesc/public/docDisplay?docId=a00126745en_us.  This looks promising as I can download Jamf Pro MDM attributes into the Clearpass Endpoint database.  Then I can do role mapping.  Then I could connect both the Employee and Students to one SSID.




  • 4.  RE: Help with the best authentication method for school

    Posted May 16, 2023 04:58 PM

    Hey that Clearpass Jamf Pro Extension works great.  I've got all sorts of attributes in my endpoints now.  I've got it working with Employee and Student TIPS roles now.  Could easily add more with Jamf groups or departments.  Problem solved!




  • 5.  RE: Help with the best authentication method for school

    Posted May 17, 2023 02:04 PM

    Rats, I have to disable Private MAC address in iOS if I want to be able to use the endpoint attributes.  It still works but there is a privacy warning on the iPad. 




  • 6.  RE: Help with the best authentication method for school

    Posted May 16, 2023 01:35 PM
    This may not answer your question but have you looked at eduroam?

    Combined with ClearPass, you can have a single 802.1x SSID that can handle authenticated users under different roles and vlans. As part of eduroam, your staff/faculty/students can visit other eduroam schools and authenticate seamlessly, and you could allow guests from other eduroam institutions to have the same experience, even though they would be assigned a guest role in your network.

    You would probably still need a separate open Guest SSID (cafe style) and another one for headless devices.

    Hope this helps.

    --
    °(((=((===°°°(((================================================





  • 7.  RE: Help with the best authentication method for school

    Posted May 16, 2023 02:08 PM

    Thanks I hadn't heard of that I'll take a look