Security

We've recently implemented CPPM to manage authentication and authorization on our wireless network.  Now we're proposing to implement AirWatch for management of mobile devices.

The challenge is that we need to force the mobile devices to install the AW agent before they are granted full access to the corporate VLAN. 

One idea was to use ClearPass to return a specific user role if the device doesn't have the agent installed, where it would then be limited to accessing the agent download pages.  But is it possible to use a captive portal in this case following L2 802.11x authentication?

If anyone has done something like this before or has any ideas about how we can achieve this, I'd be very interested to hear more.

Absolutely!  We do this all the time with single 802.1x SSID onboarding.  If the user doesn't have the agent based on the MDM integration we have with Airwatch, then send back a user role and on the controller, have a captive portal profile pointing to the page you wish to send users to.  Make sure to whitelist any links to allow the download to occur however!

Just follow this guide to accomplish this.  It covers single SSID onboarding but applicable to your use case:

https://ase.arubanetworks.com/solutions/id/34

For MDM, see the EMM integration guide as well here - http://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Default.aspx?EntryId=7961

Thanks for your reply.  I have a further question..

If we use CP to return a different user role based on whether the client has the AW agent installed or not, how then can we redirect non-AW clients to a captive portal?  As I understand it, once you have authenticated, subsequent traffic does not touch the controller (if configured using bridge mode which we do)?

Captive portals cannot be used in bridge mode.

If you would need a captive portal with local breakout you should look at the Aruba Instant solution.

I have this integration set up and working, checking for jailbroken devices, check in time, etc. 

Here's the issue - the requirement to access the corp network is to both be enrolled in Airwatch + OnBoard. You must first install AirWatch then OnBoard (this is how they want the policy). The problem is that CPPM only syncs occasionally to Airwatch. If we set the sync time to anything less that 60 minutes in the cluster wide parameters, the sync fails. 

So the user gets stuck in a state of having enrolled in Airwatch and try to connect to the SSID in order to OnBoard, but since CPPM doesn't have the Airwatch attributes yet, they must wait for a sync to occur. 

How are others dealing with this?

You could allow access for cases where the AirWatch/MDM attributes do *not yet* exist at the related endpoint. You can create a policy for this like:

Endpoint:MDM Enabled NOT_EXISTS --> allow access

Once the sync is done the MDM-attributes will exist at the endpoint. During re-authentication a different policy will be evaluated which checks for MDM to be enabled etc.

I understand this situation is not ideal, but this will make the solution more useable.