Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Blacklist database in CPPM

This thread has been viewed 2 times

  • 1.  Blacklist database in CPPM

    Posted Oct 30, 2014 01:59 PM

    I have a customer that wants to setup a rule for guest users in CPPM that will put them into the blacklist database if they are connected for more than 24 hours in a three day period. THey are trying to prevent employees from using the guest wifi. The Guest SSID is open and just presents a splash page with terms of acceptance.

     

    They want the blacklisted users to get redirected to another splash page telling them to call the help desk. Aruba says this is possible. Not sure how to do it though.

     

     



  • 2.  RE: Blacklist database in CPPM

    EMPLOYEE
    Posted Oct 31, 2014 01:40 AM
    Yes you can do it but you will need someone to create a custom SQL script to pull the data.

    I would work with one of the certified partners that have SQL knowledge.


  • 3.  RE: Blacklist database in CPPM

    Posted Nov 02, 2014 03:34 PM

    Hi satx71,

     

    Here's another option. It sounds like the corporate network might be an 802.1X network. Here's what I helped a customer design, and it's been successful:

     

    1. Client connects to an 802.1X network. 

    2. They are given an Enforcement profile that sets an attribute for that device

    3. This attribute could be defined as, "Secure-Access-Only"

    4. The guest network will then have an additional requirement stating that endpoints with "Secure-Access-Only" will not be allowed on

    5. A user device will then be sent a RADIUS Deny Access if they try to connect to the Guest network.

     

    Tim (cappalli) wrote a great post outlining how he did this at Brandeis University. It showed the flexibility of using the attributes to achieve this functionality.

     

    Hope this helps!

     

    -Mike



  • 4.  RE: Blacklist database in CPPM

    Posted Nov 03, 2014 10:23 AM

    Thanks everyone. That will help get me started. This is a pure guest environment, so I will have to create an attribute based on their session info in the guest world. I will work on creating it for a 802.1x scenario as well. I am quite sure I will encounter that so I need to know how to make that work too.

     

    Thanks again.



  • 5.  RE: Blacklist database in CPPM

    Posted Nov 05, 2014 03:02 PM

    Got another question. Do you know what the acceptable value ranges are when you are setting up a session-check allowed-duration attribute. Is it in seconds, minutes, days?



  • 6.  RE: Blacklist database in CPPM

    Posted Nov 06, 2014 08:23 AM

    Hi satx71,

     

    First, go to 

     

    Administration > Server Manager > Server Configuration > "A CPPM Server" > "Enable Insight" is checked on the server. 

     

    Next, go to:

     

    i. Configuration > Enforcement > Profiles > Click "+Add"

    ii. Choose a "RADIUS based enforecement" template

    iii. Under the "Attributes" tab, hit the "Click to add" and choose the "Insight Repository"

     

    Screen Shot 2014-11-06 at 8.21.41 AM.png

     

    Hope this helps!

     

    -Mike