Higher Education

What do you guys do for network access in your dorms?

 

What restrictions do you have?

Do you use the same SSID as Campus?

Do you provide ethernet ports?

How do you handle consoles (xbox, wii, play station)?

What bandwidth do you provide your users with?

How do you handle NATing for dorms?

 

Sorry for all the questions, just wondering what the normal practices are. 

(These are answers from my former position)

 

- No restrictions

- sames SSIDs (eduroam and an open guest/dumb device network)

- No ethernet ports provided

- "Dumb" devices including game consoles and media players connect to the open/guest network

- No bandwidth shaping

- Public addressing, no NAT.

Tim, I know you're the one to normally answer my Clearpass questions, and it's in reference to this post even. 

 

With Clearpass, is it possible to use it to Fingerprint Game Consoles, that way we can drop them specifically into a VLAN without Captive Portal, while having computers in another VLAN with captive portal? 

 

So say X device connects to our wireless. I know Clearpass should be able to tell that X device is a game console (it already classifies some endpoints as Game Consoles, Sony and Nintendo). Can we then use that information to put them in a different role assigned to a different VLAN?

 

Any idea on how to get Xbox's to show under Game Consoles as well?

 

I know the typical setup is Mac Auth, but if Clearpass is able to determine what is a game console, It feels like that would be even easier on the end user. 

Perhaps I’m oversimplifying, but the endpoint record in ClearPass should have accurate device category (e.g., computer, smart device, game console, etc) as well as detailed information (e.g., Xbox). You can write your enforcement policy to use the Endpoint Database as an authorization source. Doing so, you can have your enforcement policy say “IF game console > role = “game console”. Then, on your controller, your “game console” role can be configured NOT to have a captive portal profile as well as map to whatever vlan(s) you’d like.

Thanks for the quick response. This is in line with what I was thinking. There will be some testing, but I think this may be the approach I take. 

 

 

Thanks again!

What Ryan said :)

 

You'll just need to ensure profiling is enabled on your service so that new devices that aren't profiled will be bumped and re-auth when they're detected as game consoles.

To enable profiling, do I just tick the box 'Profile Endpoints'?

 

It adds the Profiler tab, with an option to trigger an action, I am not entirely sure what that means in this case. I haven't read about it yet. Is there a brief description of what this all means that you could give me?

 

I am also not sure what you mean by IF-Map profiling. 

On the profiler tab, you want to add any device category where you want to trigger a re-authentication.

 

So for example, if you are taking different action on game consoles, you'll want to add Game Consoles from the dropdown so that when a new device connects and is then identified as a game console, ClearPass will tell the controller to re-authenticate the device and then the auth will hit the rule where you are checking for Game Console.

 

See here for information on IF-MAP. It allows you to use HTTP user agent data from the controller. For example, you could write a rule that says CONTAINS xbox.

 

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Tip-Using-IF-MAP-fingerprints-to-identify-legacy-devices/m-p/156396/

I do not have the Profile Endpoints boxed checked for our setup.  Tim just educated me as to the IF-MAP fingerprints and I'm going to take a look at that.

 

Like he said you should only need the Profile Endpoints checked if you want to 'bump' it to a different service.

Alright. Let me see if I have all of the information I need. 

 

If I add a statement to my enforcement policy that I use for my Guest network that looks like:

Authorization:[Endpoints Repository] Category EQUALS 'Game Console'

 

And then I have that assign an Aruba-User-Role of 'Game Console' (or similar) and use that Role to Authorize access via the Controller. 

 

While also enabling Endpoint Profiling and specifying the 'Game Console' Endpoint Classification on that service. 

 

Do I even need to do a role mapping for it? Would this be all I need for a Game console to authenticate? 

I understand that to capture all devices such as xbox I will need to look at the IF-MAP feature, which I have only skimmed so far. 

 

EDIT: As I keep thinking about this. Would it return the role, or would I need to verify it against another service to return the role?

I do think you can skip the 'Role Mapping' and do it that way, but using Role Mapping will simplify the profiles (for Tips:Role  EQUALS  Gaming Console it will include all Gaming Consoles from the mapping instead of having more and more lines in the policy).

 

Using the Role Mapping is also more flexible because you can apply the Roles without enforcing anything (great for testing and watching live), and you can have different enforcement policies for the same role mapping policy (e.g. an xbox on SSID Guest can get a different role (firewall-controller-side) than an xbox on SSID nonGuest).

 

The Enforcement Profile is what sends the information to the controller:

Radius:Aruba

Aruba-User-Role

=

Guest-Gaming

After all those steps the Aruba-User-Role, in my example Guest-Gaming is all that matters to the controller, and all that is needed.  What Guest-Gaming has access to is entirely on the PEF controller at that point: show rights Guest-Gaming

Alright so I'm working on getting the game console portion of this access implemented. I can get them to connect to my guest network which is just fine, but I want them to be off in their own subnet which I am struggling with. 

 

Is there an example anyone can provide me of what their actual service looks like?

 

 

What service type should I be using? I currently have it set to RADIUS Generic (copied my Guest Service)

What authentication method are you using? I currently have it set to Mac Auth since it's Guest Network (I don't want to set up a Mac Track type portal)

What authentication sources? I am using Endpoints Repository. 

For Authorization I have Enpoints Repository

Role mapping I have it defaulting to my GameConsole role, and the policy is setup how pgemme describes it in this post. 

Enforcement I have set to (Authorization:[Endpoints Respository]:Category EQUALS 'Game Console') Game Console Enforcement Profile

The enforcement profile looks like: Radius:Aruba Aruba-User-Role = 'Game Console' with the Accept Action

 

and I have profiling enabled against ANY Device for my Guest Service and this Service. 

 

 

In the controller, select a VLAN in the user role.


Thanks,
Tim

In the User Role, you're talking about the Role VLAN ID correct? I have that set to the VLAN

Yes. And the devices aren't ending up in that VLAN?


Thanks,
Tim

To add a little color to this... Think about HOW ClearPass is making its decision. The Mac-auth and dot1x methods have the client authenticating with clearpass BEFORE it gets an IP address. Since profiling is largely based on radius attributes (no device category info), dhcp and http finger printing, clearpass may not know the category ("game console") until after it already performs policy enforcement.

To get around this (like Tim suggested), enable profiling. For my environment, I want to have a solid understanding of the device before being content with them on the network. For this reason, I select "any category..." (instead of just one like game console) to ensure the device is properly profiled and policy enforced correctly.

You have everything else understood it sounds.

I'll add that Clearpass "roles" are simply labels and I suggest using them if you ever feel the criteria for a device (eg, category is game console, or host name has Xbox = game console) will be reused.

I used to have profiling enabled with any category... as well.  We did get much more devices in the correct 'buckets' on first connect when it was on (other than having to boot them manually or wait for them to disconnect) but it caused something else that we didn't want to trade off for.  I can't remember now what it was.  I'll check my notes and test again.  I feel like the IOS devices would pop up the captive portal page twice.

 

Definitely let me know any side effects you had, as I have not seen/heard of any...

That matches what I am seeing.  At least the iOS devices have to hit the Captive Portal twice after enabling the profiling.

That’s puzzling. Do you have clearpass as a dhcp helper-address for the L3 VLAN assigned to the client? If a client auths, clearpass won’t have profiling data on them (yet). Then client sends a DHCPREQUEST, which is relayed to clearpass. At that point, clearpass should know enough about the client on dhcp fingerprint alone to change the device family/cateory etc. That would have clearpass send a CoA to the controller for the client, forcing them to re-auth, etc. I suppose it’s possible for the client to reach the captive portal before the CoA kicks in, but I haven’t observed this phenomena in my environment…fwiw.

I have the Virtual IP of ClearPass as an ip-helper-address in all the VLANs.  Would I need the individual server IPs as well?

Also keep in mind when testing profiling that the device likely won't DHCP discover again so it may look like profiling isn't working. Having unique devices is crucial to testing profiling.


Thanks,
Tim

pgemme, you wouldn’t need all the clearpass IPs as helpers so long as the clearpass server that responds the virtual IP has profiling enabled. (i.e., “Enable Profile: Enable this server for endpoint classification”).

Yup, that was it.  Now that I added the ip helper to my router, I am receiving device information into the endpoints.  Now I just have to figure out how to get the Console devices logged inautomatically, but not the other endpoints...

Hmm.  No, I did not have the dhcp helper set to Clearpass as well.  I thought I had, but that was before I changed routers.  I will add it to the dhcp helper list and see if thaat makes a difference.  Thanks

You’ll want the profile endpoints so that the device doesn’t get stuck in an incorrect role.

My understanding is the Xbox can be tricky because it just like a Windows 8 machine (in terms of DHCP fingerprint).

 

If it helps at all, my current setup to skip captive portal for the Xbox's on campus:

 

(Authorization:[Endpoints Repository]:Category EQUALS Game Console) 'Role Name' = Gaming Console
(Authorization:[Endpoints Repository]:Category EQUALS Computer)
AND (Authorization:[Endpoints Repository]:Hostname CONTAINS xbox) 'Role Name' = Gaming Console
(Endpoint:Enabled Reason CONTAINS Xbox) 'Role Name' = Gaming Console

 

The first mapping seems to catch about a third of the Xbox's (would have to check my numbers).  It catches most of the Wii's, PS's, etc...

The second mapping definitely leaves a spot where you could name your computer xbox* and skip captive portal; however they would have to know that, and I would always be dumping them on the more restricted network anyway which has a 'gaming' firewall profile. (I believe I can also add the OS Family has to be Microsoft). The third mapping is for any that still somehow need a manual setting to be picked up correctly (a very small amount seem to slip through - not sure how).

 

Of course 'Gaming Console' needs and enforcement profile:

(for example) Enforcement Profile:
Radius:Aruba Aruba-User-Role = Guest-Gaming

And the Service needs to have an Enforcement Policy that uses them:

(Tips:Role EQUALS Gaming Console) = Guest MAC Caching, Guest Gaming Device

You can leverage the IF-MAP profiling to help make this more granular.

What restrictions do you have?

     - Only restricting access to fac/staff and server subnets.

 

Do you use the same SSID as Campus?

     -Yes, we use clearpass with role derivation to drop them into their proper subnets

 

Do you provide ethernet ports?

     -Yes, when we implemented the s3500's, we right sized the network and only allow for one port per room now.

 

How do you handle consoles (xbox, wii, play station)?

     -They are user registered via a Clearpass portal.  They must also be auto-profiled correctly for this to work.

 

What bandwidth do you provide your users with?

     -we don't restrict bandwidth at this time

 

How do you handle NATing for dorms?

     -All traffic on campus is natted, the student subnets have a small number of IP's that ALL their traffic is natted out from.

 

Scott Wolke

Network Engineer

The University of Findlay

How big are your schools? How many Dorm users to you generally see?

 

 

We have about 50 users to our on campus dorms. We are quite small.

 

However, we are a primarily Computer Science school, so the majority of our users have 3 or more devices. 

We have a very similar configuration as cappalli described. 

We have ~26,000 students of which ~7k live on campus. On an average day we have about 9k devices conncurently connected in housing and peak at about 12k at night.  

 

What restrictions do you have?

None, except Acls to block mgnt vlans.

Do you use the same SSID as Campus?

No different name /same aaa profile

Do you provide ethernet ports?

No all the dorms are wireless 

How do you handle consoles (xbox, wii, play station)?

At the moment they connect MAC auth and we provide them Public addresses. Currently testing is XBox live can work now with private addresses. 

What bandwidth do you provide your users with?

No rate limit 

How do you handle NATing for dorms?

We nat everywehre on campus except the dorms until we test the majority the students wireless devices can work on private adddresses.  (Currently testing Clearpass to see if we can fingerprint them and then only assign public addresses to games consoles)