Security

Hi All,

 

I have ClearPass for OnBoard and OnGuard. It is working great for my 802.1x needs.

 

I have a requirement that we get a specific application working on some android tablets in our various stores so that customers can check out or browse products. They should be segmented out from all other vlan traffic.

 

How can I leverage ClearPass so that it detects that the particular application is in use and puts it on the correct vlan?

 

We will have about 3-400 of these tablets.

 

N

What type of encryption are you using for those tablets? The best way to do what you are looking for is to detect a common username or AD group that the tablets are using to put them into a VLAN. ClearPass Onguard does not have an agent to detect applications on a mobile device. A second option is if you are using mobileiron or some sort of device management for your tablets and you can use Mac authentication to that database to move your mobile devices to that VLAN when they attach...

I was planning on EAP TLS over a mobility controller with tunnel mode back to datacenter.

 

Onboard for certificate provisioning is probably the way to go.

 

So this solution would make these tablets fairly fixed with their security, meaning that if we had another purpose like a staff member going to do inventory with another application it would have to be moved to a different SSID to get the proper access?

If you are using EAP-TLS, you can "authorize" the Common Name or username on the certificate  to AD and you can use that account or the group that account username is in to move it to the correct VLAN.

You may want to consider Onboarding these devices to a separate "device" CA and leveraging that as part of your policy decision.