Security

Just setting up airgroup functionality for wifi devices. Most devices will be connected to our PSK network so just using dhcp fingerprints to dentify supported devices. However, I also want users with dot1x connected devices to also be able to see ..psk connected airgroup devices. 

 

Want to do this by registering all mac addresses ( irrespective of psk or dot1x connectivity)  in clearpass guest with airgroups enabled. 

Having a senior moment. in my eduroam ( wpa2-enterprise) service, whats the easiest way of checking if the client calling-stastion-id is also in the clearpass guest device database?

 

Rgds

Alex

 

Check if the attribute “Device Role ID” exists. But you do not need to register client devices, only servers. Registering clients and enabling AirGroup does nothing.

... and it works.  RE registering clients ...depends on whether you want to apply an additional set of ACLs specific to clients talking to airgroup devices that aren't normally allowed

A

Sure, but that has nothing to do with AirGroup itself. It is not recommended to force users to register client devices.

so hang on, if you want to set up a personal airgroup config, in cppm guest you enable airgroup and then select personal.The help says 

"A personal device is automatically shared with other devices owned by the same user." 

So I take that to mean all devices owned by  a user need to be registered in clearpass guest irrespective of whether they are servers or clients. 

 

e.g. I've a chromecast device and an android tablet. If I register both, the tablet can see the chromecast. If I remove the tablet,it can't see the chromecast device.  Isn't that the point ... that you have to register all the devices so they can all discover each other ?

 

No. Only the servers need to be registered. The user binding is done by the controller based on the username. This is why it’s important to use fully qualified usernames across the board (tim@abc.edu<TIM>).

Client devices should not be forced to register unless there is some other use case outside of AirGroup. Forcing 802.1X users to register is a very poor user experience.</TIM>

>No. Only the servers need to be registered. The user binding is done by >the controller based on the username. This is why it’s important to use >fully qualified usernames across the board (tim@abc.edu).

 

o.k. didn't appreciate that. That's a bit of a problem then as eduroam users log in with "fred@york.ac.uk" or "cn=fred-abcd@york.ac.uk "if TLS connections  and device registrations are owned by "fred" ... then we've got the users that don't bother to use our onboarding  service and just have user "fred"

>Client devices should not be forced to register unless there is some other >use case outside of AirGroup. Forcing 802.1X users to register is a very >poor user experience.

 

All our users have a fixed set of ACLs applied, including blocking client-client traffic where possible. By registering the mac address, we apply a different role / policy that opens up additional ports as appropriate.

 

 

So if I have t user@domain for my eduroam users, and need to match userids with servers registered in clearpass guest ... assuming you are talking about the sponsor name here what do I configure to have the sponsor name have a domain in it ? My clearpass Guest service strips off the @york.ac.uk to authenticate against AD

A

Users should log into everything (network, web portals, etc) with their fully qualified username. That’s the UPN in most environments.

Except here where the only thing you use a domain to log in for is eduroam.... still same question, assuming the sponsor name is the one that has to match up with an eduroam loggedin account, what do I do to get the sponsor to = fred@domain? 

Have configured guest login to string off domain so we can auth against AD just like our eduroam auths  but when I log into guest as myuserid@york.ac.uk and create a device the sponsor name is still only myuserid with no domain

A

Configure the auth source to not strip and use UPN. Stripping is not recommended.

guest users have to auth against AD so have to strip off the realm. If I don't auth fails, it what we do for eduroam authentication.

 

Guest users should have nothing to do with operator logins to ClearPass.

Sigh! not doing too well here :-(

 

Copied the guest operator login and added roles /enforcement policies  for guest users when logging into clearpass guest