Hi Guys
Currently running clearpass server 6.7.9 with 802.1x and wanted to know if its possible to block personal phones/ipad from joining corp network.
Currently anyone who has AD cred are able to sign in and abuse corp network and we wish to stop this.
We hav
Any thoughts
Couple things you can do. 1. if its a corp phone and is under MDM then you can put a rule stating that if not in MDM deny from corp wifi. 2. If you have a list of authorized devices then use it as a authz source and only allow those phone/ipads. 3. Use a custom attribute and tag each of the corp phones manually then make a rule only allowing phones with that attribute.
thank you for quick response.
we do have MDM in place but how would clearpass identify if its in MDM or not.
are you able to give me n example
You can also move to EAP-TLS and either Onboard the Corp devices with a certificate issued by ClearPass as a CA or leverage an internal PKI to issue certificates for Corp devices.
What MDM do you use?
Airwatch
Refer Enterprise Mobility Management section here:
https://community.arubanetworks.com/t5/Security/ClearPass-Docs-Configuration-amp-Integration-Guides-Solution/td-p/522283
@arpitb wrote:Refer Enterprise Mobility Management section here: https://community.arubanetworks.com/t5/Security/ClearPass-Docs-Configuration-amp-Integration-Guides-Solution/td-p/522283
i get the following error when i set it up.
Error code: 401 Verify Proxy settings, Server credentials and retry.
Server is unable to reach your Airwatch instance when it's trying to poll for that information.
If you have a proxy setup in ClearPass you will have to allow this communication.
If communication is fine, double check the credentials being used.
would allowing it to bypass work?
Any logs i can look at>?
we dont have a proxy server.
credentials seems fine as i am able to login onto a test machine.
anything else i can check?
Logs : Event Viewer and PolicyManager > MDM
Open a TAC case, they might be able to use curl to see if you can reach over https. Ensure you are able to use the FQDN of Airwatch portal and can ping it from ClearPass CLI. Sometimes it could be as simple as DNS resolution.
clearpass is now able to communicate with MDM and imported all devices.
what rule should iput in place?
https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=33307
Pg 14 and specifically Pg 18. The attribute might differ based on the EMM/MDM vendor.
doh
completely forgot about that.
thanks will look into it
how would you deal with devices which are already connected to corp network?
would you reboot AP's or delete endpoints?
Delete from controller user-table. They should reconnect and get new policy.
you mean do a bulk delete from endpoints in clearpass
Under the service, you can enforce to match if the device is an object in AD then allow access, pull informaton from your Active Directory (Source).
AP
we have that rule currently but its doing OR instead of AND.
if i change it none of mobile device will connect which is not i want.
Is that what you meant by your statement?
Just add another rule under enforcemen for that service, it will pick top to bottom.
© Copyright 2024 Hewlett Packard Enterprise Development LPAll Rights Reserved.