Security

Reply
Highlighted
Frequent Contributor I

Clearpass With Student Devices that dont support 802.1x

Hello, I have some questions about student devices in dorm rooms and how some other people handle these types of situations.
We currently have 2 SSID's. The primary 802.1x ssid authenticating to clearpass/Active Directory, and an open guest network for guests and devices that dont support 802.1x like xbox's, roku's, playstations stuff like that. We have dhcp fingerprinting rules in place that detect if they are game consoles or home entertainment devices and automatically take then and assign them to the student network while the regular guests stay in the guest network. This works really well from a technical standpoint but its kind of not intuitive and since students dont like to read our instructions for which devices go on which network we get lots of work orders for this. Additionially since its an open network its not very secure. I would prefer to move these devices over to a secure network and leave the guest network for actual guests.
It sounds like EAP-PWD is a better more secure version of WPA-PSK but i cant see to find much in the way of documentation for it. I cant even seem to find much on the way of client support for the standard. Do typical consumer devices like the ones mentions support this? Does anyone ahve a guide on how to actually configure this with Aruba Controllers and Clearpass? I see basic notes for it but not how to actually make it work.

Additionally, what do other users for this? I would be interested to know what other org's do in this scenario. I would prefer to avoid having them register their devices in clearpass and that seems to be kind of a pain and not a great user experience. Ideally i thing my dream is a SSID that is locked down and the only way to get connected to it is via dhcp fingerprinting. Other devices such as phones would connect to the 802.1x network and then real guests would go register on the captive portal.

Thanks in advance, i am very curious to see what others have ended up doing for their students.

Highlighted
MVP Expert

Re: Clearpass With Student Devices that dont support 802.1x

You best option for headless devices is to use ClearPass device registration workflow, see here:
https://community.arubanetworks.com/t5/Unlisted-1/How-To-Advanced-Device-Registration-in-ClearPass-November-MHC/td-p/217291

With this option you will be using Mac authentication and it also gives the flexibility to students to register and manage their own devices

Thank you

Victor Fabian

Pardon typos sent from Mobile
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Highlighted
Moderator

Re: Clearpass With Student Devices that dont support 802.1x

EAP-PWD is a form of 802.1X which most these devices do not support. As Victor mentioned, use either an open or PSK network with Device Registration.


If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

Highlighted
Contributor I

Re: Clearpass With Student Devices that dont support 802.1x

Guys,

 

Am i the only one that can no longer open this link?  If so do you know if there is another resource where i can find these details now.

 

Thanks,

 

Jeff

 

Highlighted
Occasional Contributor II

Re: Clearpass With Student Devices that dont support 802.1x

I can't open it either.

Access Denied
Highlighted

Re: Clearpass With Student Devices that dont support 802.1x

this is what are you looking for ?

 

https://community.arubanetworks.com/t5/Security/Clearpass-device-registration-formerly-MACTrac/td-p/532717

 

 

----------------------------------------------------
Project engineer
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: