Security

Reply
Highlighted
Occasional Contributor I

ClearPass - Allow "Preapproved" Devices

Hi everyone,

 

I'm a bit new to clearpass.  I have managed to get authentication to happen pretty easily from AD credentials, but the enforecement is giving me some problems.  We have a mix of Windows (AD joined), Chromebooks, and iPads that we would like to allow access to our main network, but deny all other users.  These are essentially "trusted devices".

 

Since we are not doing just Windows devices, I cannot enforce machine authentication.  I have added the Google Admin Console as an "endpoint repository".  I've tried enforcing a rule of dropping all by default and allowing devices in the "known" endpoint repository.  That has resulted in all devices being denied.

 

Could someone point me in the right direction for how I should think about allowing these devices?

 

Thanks in advance!

Guru Elite

Re: ClearPass - Allow "Preapproved" Devices

What EAP methods are in use? Strong credentials should attest to device authorization.


| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor I

Re: ClearPass - Allow "Preapproved" Devices

Thanks for the quick reply.  We are using PEAP MSCHAPv2 because the chromebooks and iOS devices do not support device authentication.  All of our devices, with the exception of the iOS devices, automatically pass the usernames and passwords to make it seamless.

Guru Elite

Re: ClearPass - Allow "Preapproved" Devices

Both platforms support device certificates.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor I

Re: ClearPass - Allow "Preapproved" Devices

All of the research that I have seen shows that device certificates are not feasible on Chrome Devices because they require a special onboarding network and our students to go through a special process.  Are you aware of an automatic way of provisioning these certificates on the devices with no user intervention, but still allowing for username credentials to be passed to the controller for accounting purposes?

 

I should probably also note that we would eventually like to use the same VLAN for BYOD devices but with firewall rules on the aruba controller to limit access.  I apologize for moving the goalposts.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: