Clearpass guest MAC caching, special role, device conflict
11-26-2018 03:39 PM
Question regarding conflict detection in clearpass 6.7 - or a better workflow to lock down a specific device on a guest network with something more than just MAC address.
To help smooth the provisioning of guest accounts, we've set up an iPad that's available for them to put in their details to be quickly verified by an operator and click create. (We don't want to use full device self-registration)
Since it's an iPad, we've put this on the guest SSID and set up the clearpass ACLs to allow access to the guest mgmt page for this static IP (dhcp is via a WLC so no static-DHCP assignment unfortunately); and set up a special role on the WLC for this locked-down role.
Clearpass service will check that the MAC exists in the static host list, and that a custom attribute exists - manually put in the endpoint repository (the serial number). Of course the iPad doesn't actually present the serial number so it's not being actively checked.
I thought I could bodgey it by then somehow checking using the device conflict flag if someone tries to spoof the MAC of the iPad. But would this actually work - would the custom attribute get ovverridden by the spoofed device ?
Or am I way over-complicating this and there's a better way to verify the identity of that specific iPad on the guest network that's better than just MAC checking (since it's trivial to spoof).