Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Clearpass mactrac - limit users to one iphone and one ipad

This thread has been viewed 1 times

  • 1.  Clearpass mactrac - limit users to one iphone and one ipad

    Posted Jul 14, 2014 11:56 AM

    Guys,

    One of the reasons we bought clearpass was to allow our staff to self register their "employee owned" devices.  In this case, we don't purchase mobile phones or tablet for the staff, but allow them to use their devices.

     

    Our understanding (i.e sales pitch) from Aruba was that we would be able to limit our staff to registering one iphone and one ipad per employee.  The reason for this was employees would regularly purchase new phones and not tell us about it, and just join them to our staff wifi network (leaving the old one credentialed as well). :(

     

    To get around that, we started manually entering mac addresses into the internal database of the Aruba controller so that the staff would at least have to bring us their new devices before they could get on the network.  Functional, but a headache for IT staff.  

     

    The goal for clearpass was to have staff go to a portal page and register their own devices...  All of this is working BUT we can't seem to find a way to limit it to one iPhone and one iPad.  It seems to see them both as iOS devices and makes no distinction, which really defeats the purpose if someone can add their old AND new iphone to the system.

     

    Any ideas on how to make this work?



  • 2.  RE: Clearpass mactrac - limit users to one iphone and one ipad

    EMPLOYEE
    Posted Jul 14, 2014 05:14 PM
    The only way to limit to a specific OS

    1. Onboard the device
    2. Pull the information down from an MDM.

    CPPM can profile the device and limit by saying you are only allowed 2 IOS devices but it can't tell the type by just the fingerprint. Apples finger print is very limited and you would need an advance profile from one of the above two to limit type of device.


  • 3.  RE: Clearpass mactrac - limit users to one iphone and one ipad

    Posted Jul 14, 2014 05:25 PM

    So basically, even though I paid for the product to do a specific purpose (I didn't buy the EVEN MORE EXPENSIVE licenses for onboarding), it won't do the job that I specifically asked for it to do.  Sigh... typical sales.

     

    You would think that if this product is designed to simplify the BYOD process... limiting an employee to a single phone might be something that is included in the product. 

     

    But alas, this is what I've come to expect from Aruba.  I'll call our sales rep and see if we can't get a refund for this expensive waste of money.



  • 4.  RE: Clearpass mactrac - limit users to one iphone and one ipad

    Posted Jul 14, 2014 05:27 PM

    Oh... and how come the Aruba controller can tell the difference between an ipad and an iphone?  Seems like it's possible, it's just that clearpass can't do it.  And it doesn't seem like that's apple's fault.

     



  • 5.  RE: Clearpass mactrac - limit users to one iphone and one ipad

    EMPLOYEE
    Posted Jul 14, 2014 05:29 PM
    What code are you running on your controllers?

    There may be a way to do what you're asking but it's sloppy.

    The controller can see device type because it is in the datapath and can read the http headers. ClearPass is not an inline device.


  • 6.  RE: Clearpass mactrac - limit users to one iphone and one ipad

    Posted Jul 14, 2014 05:36 PM

    We are running 6.3.1.5 on the Aruba controller and the latest patch (Cumulative Patch 4 for 6.3.x) on Clearpass