Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Best way to distinguish a device type in clearpass

This thread has been viewed 11 times

  • 1.  Best way to distinguish a device type in clearpass

    Posted Jun 28, 2016 08:26 AM

    Hi All,

     

    I'm new here and I've searched around but can't seem to find what I'm looking for!

     

    My question is:

     

    When using CPPM what is the best way to distinguish between different device types for the purposes of dynamic VLAN assignment and RBAC.

     

    I know you can use:

    DHCP thumbprinting

    OS Type

    OS Fmaily

    MAC address groups

    AD Computer Groups etc

     

    I want to know from experience which of these you guys have had the best experience with?

     

    The issue I'm working to solve is a best way of assigning devices to a specific VLAN and then based on the user logged in to them assigning a controller role to determin their access to the network.

     

    An example is: 

     

    If device is a chromebook and user logged on is staff then assign to chromebook user role and assign to VLAN 99. This design is to enable a network based web filter (I know most web filters are user centric these days but unfortunately we have no control over it) device to destinguish if the device is student or staff but limit the chromebook device to only speak with a management server and nothing else using PEF. So which way of defining the device type is best?

     

    Hope that makes sense!

     

    Look forward to hearing your suggestions.

     

    Steve

     



  • 2.  RE: Best way to distinguish a device type in clearpass

    MVP
    Posted Jun 29, 2016 11:23 AM

    If your only concerned with Chromebooks, you can setup the Google Admin Console as an Endpoint Context Server, which would apply attributes including the device type as Chromebook, which you can then key off of. Otherwise, I've had pretty good success with DHCP fingerprinting, just add an IP helper address for ClearPass to the VLAN interfaces required. You could also using Profiling in the service, which would terminate session and force reconnect with device type now being known.



  • 3.  RE: Best way to distinguish a device type in clearpass

    Posted Jul 04, 2016 04:58 PM

    Thanks Michael,

     

    That would be a good idea for the Chromebooks agreed, I'm also looking to do similar things with iOS devices and smart phones. So it needs to fit all device types.

     

    Do you think pairing the admin console with one of the other methods will achieve the desired results of assigning controller roles to devices and VLAN's per user? I'm just concerned that if I opt for methods other than MAC address groups that we risk allowing any staff / student device on the network regardless of it being owned by the organisation.

     

    Thanks again,

    Steve



  • 4.  RE: Best way to distinguish a device type in clearpass

    Posted Jul 06, 2016 10:19 AM

    Steve,

    The only way I know of to make sure your school owned devices are the only ones getting on is to set an attribute in the endpoint database that is manually put in or only put in when a device is connected to a particular user or switch/AP.

     

    For example, if you get a list of MAC addresses when you purchase a group of Chromebooks/iPhones/iPads, you could import them with the endpoint attribute of "School Owned" = True (for example) and then key on that attribute along with the User authentication to allow them on the correct VLAN, etc.

     

    If you don't get that list, but you have to get the devices out of the box and make sure they have a config on them, make sure they connect to a "Lab" AP/Switch and have a rule that if they connect to that AP/Switch, then add the attribute "School Owned" = True.

     

    The general idea is that you have to do something "Out of Band" (like these 2 examples) of the normal user connection.  Maybe think of it as a "Virtual Asset Tag"

     

    Thanks!
    Chuck



  • 5.  RE: Best way to distinguish a device type in clearpass

    MVP
    Posted Jul 06, 2016 10:25 AM

    You could also use the profiler in the ClearPass service.

     

    Any OS / Make / Model = Aruba Terminate Session. 

     

    It would send a COA to the controller, make sure you have ClearPass setup as an RFC3576 server and in ClearPass you have the controller enabled for RFC3576 in the network device settings. 

     

    You could then put logic into the Role Mapping policy for the service that checks things such as:

     

    IF Device OS = Chrome THEN Assign role CHROMEBOOK

    IF Device OS = Windows THEN Assign role WINDOWS PC

    IF Device OS = Apple THEN Assign role MACBOOK

    IF AD memberOf = Staff THEN Assign role STAFF

    IF AD memberOf = Student THEN Assign role STUDENT

     

    I would do evaluate all in the Role Mapping, then in the Enforcement, just need to combine the roles and assign the VLAN / User Role assignments based on the combinations. Always put the most specific on top, for example:

     

    TIPS Role MATCHES ALL = Chromebook, Staff THEN Action = VLAN 1, User Role Staff

    TIPS Role MATCHES ALL = Chromebook, Student THEN Action = VLAN 2, User Role Student

    TIPS Role MATCHES ALL = Chromebook THEN Action = VLAN 3, User Role Chromebook

     

    You can filter on Machine Authentications and User Authentications as well to identify if it's a domain joined machine or personal machine. If it machine authenticates successfully, it's company owned.

     

    Chromebooks - Use Google Admin Console to identify if they are company owned

    Windows - Use Machine Authentication (if their domain joined)

    Macbooks - May need to find another attribute or use Generic SQL query to check a database of the devices.

    Mobile Devices - Use MDM such as AirWatch