Security

Reply
Highlighted
Moderator

Re: ClearPass only blocking some phones

1) Yes, just add them into the policy. Be sure to chagne the rules evaluation to Any. Also, why are you checking groups to individual domain controllers instead of just the AD auth source?

2) I don't have an answer for that but you can leverage the Aruba-Device-Type attribute on top of the ClearPass profile to get more granualar. Take a look at my screenshot above.

In regards to the faculty/staff devices, why are you maintaining a MAC list instead of just using the user's identity? You should already know that they are faculty/staff based on AD information, so checking the device shouldn't matter. You can then condense your enforcement policy down to only a few rules:

   Rule 1: stays the same (profile check)
   Rule 2: [ TIPS Role MATCHES_ANY  USER_TEACHER, USER_STAFF ] AND [ TIPS Role EQUALS DEVICE_SMARTDEVICE ] >> HCS-WIFI
   Delete rules 3-6
   New rule 3: [ TIPS Role MATCHES_ALL   USER_STUDENT, DEVICE_SMARTDEVICE ]   >> Blocked_Phone_Role
   Rules 12 - 16 stay (Machine auth, user auth, etc)



If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

Highlighted
Frequent Contributor I

Re: ClearPass only blocking some phones

Tim, 

 

Thanks for the response. 

 

I had the conditions set for each role derived based on the authorization source (each DC). Is there a way to refer to an alias of all three servers like in the controller where you build a server group?

 

The reason for using the MAC whitelist (static hosts list) is because the customer wants to allow staff/faculty phones on per user basis. Not all teachers, staff will be allowed to use their phones on the wireless. All students are denied phone use but they know they are going to have make exceptions for staff/faculty because that is just the way it is. 

 

I'll work with Jeremy to implement the changes and post back the results. 

 

Thanks again for the guidance. 

Michael McNamee
Sr. Network Engineer - SecurEdge Networks
ACMP / ACDX / AWMP

http://www.securedgenetworks.com/secure-edge-networks-blog/
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: