Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Block devices on one SSID if previously logged into another

This thread has been viewed 0 times

  • 1.  Block devices on one SSID if previously logged into another

    Posted May 11, 2016 04:38 PM

    Scenario:

    Corporate (802.1X) and Guest (open w/clearpass captive portal) SSIDs are broadcasted.  Corporate devices may connect to the corporate SSID, but not the guest SSID.  The guest SSID captive portal only requires guests to 'accept terms' in order to gain Internet access; no username/password or identifiable information is requested.

     

    How do you keep Corporate devices from gaining Internet access on the guest SSID?  My current thought is a post authentication update that tags endpoints with an attribute of 'corporate' after logging into the corporate SSID.  The guest's captive portal would check for this attribute when authentications occur.  If the attribute exists, access is denied.

     

    I feel like this would work just fine, but am curious to know if anyone has some other ideas.  Can Clearpass verify if a device has logged into the Corporate SSID before?



  • 2.  RE: Block devices on one SSID if previously logged into another
    Best Answer

    EMPLOYEE


  • 3.  RE: Block devices on one SSID if previously logged into another

    EMPLOYEE
    Posted May 11, 2016 04:40 PM
    Yes, simply add an attribute to the endpoint database when they authenticate
    to corporate, and then check for it as rule #1 on the guest service.



    See this doc I wrote a couple of years ago:

    http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Guide-Using-
    ClearPass-to-steer-users-to-secure-networks-mhc/td-p/144823


  • 4.  RE: Block devices on one SSID if previously logged into another

    EMPLOYEE
    Posted May 11, 2016 04:43 PM

    Or..  push the Guest SSID to that client with WEP encryption via a GPO.



  • 5.  RE: Block devices on one SSID if previously logged into another

    Posted May 11, 2016 05:07 PM
    Perfect! Thanks guys. Put of curiosity, why do you suggest posting the
    redirect page on a server rather than a weblogin page in Clearpass? This
    won't be an issue for me, I'm just curious.

    Colin, that was the initial plan but I'm concerned about the 1% chance some
    hotel is using the same guest SSID. I like the idea of the redirect page
    too in the instructions above as it will inform the user they shouldn't be
    on guest. This should reduce calls to the help desk.


  • 6.  RE: Block devices on one SSID if previously logged into another

    EMPLOYEE
    Posted May 11, 2016 05:22 PM
    Well, I wrote this when I was at a university and we had thousands of users
    hitting the page all the time. Since auth was never going to be performed on
    that page and ClearPass wasn't needed, I just wanted to take any extra load
    off the ClearPass web server.



    I would also recommend making the page HTTP instead of HTTPs. It will reduce
    load on ClearPass and the controller and also users won't get certificat
    errors on redirect.


  • 7.  RE: Block devices on one SSID if previously logged into another

    Posted May 11, 2016 05:23 PM
    Very good. Thanks Tim.