Security

Hello

We got an school interested in clearpass  which has  3 main objetive

1- Student should be able to selft register  devices themselve, and some kind of notification should arrive to the network admin which should then confirm if  they are okay to get in

2-It should be able to identify if the laptops has a Antivirus or not(Onguard module here i suppose)

3-Smartphones should not be allowed

 

What would be the best approach to do this?

Which modules would fit better?

 

As an additional note, the client does not have an AD for the students, and if its possible they do not want to have one for them.

 

Onguard for the antivirus

And policy manager

I dont know if onboard will fit without AD... or maybe we could use the guest module for this??? with selft registering maybe?

 

Ideas please??

 

Cheers

Carlos

1- Student should be able to selft register  devices themselve, and some kind of notification should arrive to the network admin which should then confirm if  they are okay to get in 

You should be able to do this using Guest / Sponsor approval 

2-It should be able to identify if the laptops has a Antivirus or not(Onguard module here i suppose)

Onguard would allow you to determine whether device has an antivirus or not but you need to take in consideration how what type of agent and how it will be deployed

3-Smartphones should not be allowed

All you need is to add clearpass as a relay to do profiling based on device type and use the endpoint database to then allow access or not if it is a SmartPhone or a Computer 

 

 

Which modules would fit better?

You will need guest , policy manager and onguard for this or bundle it using Enterprise

 

As an additional note, the client does not have an AD for the students, and if its possible they do not want to have one for them.

Are they using 802.1X or just an open SSID ?

 

 

What type of identity store are they using if not AD? Surely they have something for email and/or computer access?

Those are for the students for their persnoal devices.... they do not have a email or anything.

They want to control somehow the devices the students are bringing, right now they are doing it with mac authentication, and the students have to go to the IT department to add the device to the mac address table.

As you can see this takes a lot of time for them.   They are looking for a way to speed this up.  They also need to check if the Computer has an antivirus.

 

Clearpass can do that automatically, with the onguard , the antivirus check is solved

 

For the selft registration  with cleapass guest solved,  we still  need to know a few things

 

1-With the mac-catching, can i make the students log in only once  and maybe ask them to log again every month or 3 months? or any time the client wants? They asked me if the student will need to log each time they access the network.   They do not want that.

2-Can i limit the number of devices that one user can have? for example one  random student is allowed to have 2 devices  only

 

 

Finally , i know you come from a large university(how did you guys manage this?)  just a small summary would be good if you can.    Maybe you  can give me an example of how its done in big universities.

 

Cheers

Carlos

 

1) Yes, you can set whatever "expiration" time you want.

2) If you have some type of user ID to tie the device to, then yes.

 

At most universities, students can register as many devices as they choose and just log in with their username and password. Very few still require posture checks. Many are doing away with registration for 1X capable devices.

 

In terms of licensing, you are better off doing enterprise licenses than doing Onguard and guest separately.

 

Tim

For this point

 

2) If you have some type of user ID to tie the device to, then yes.

 

Can i use the email they use to selft register for this?? i mean for the self registration they will need an email which will be their user and well the password will be randomly created.

 

Cheers

Carlos

Yes, but keep in mind, if they want to register more devices, all they have to do is use another email address.

Keep in mind also that if they register a with a new unkonwn user IT should know that and willl not give him access to that account.  :)

 

Cheers

Carlos

Tim

Did you guys also used or universities does use Clearpass Guest doing something like this?

 

Or you guys used  onboard and you had the studends on an active directory or something to work with it?  i mean for studend personal devices

 

Cheers

Carlos

No guest, no onboard. Just standard PEAP username/password authentication. No registration.

The only thing guest was used for was actual campus guests and non-dot1X device registration (Xboxes, media players, printers, etc)

Really?? haha i though you guys used clearpass for everything in there...

 

Thanks for the information!

 

Might ask more things later so ill keep this tread open :)

 

Cheers

Carlos

The goal was to eliminate registration. It was redundant. Why make someone that has already entered valid credentials, login again and click submit?

Its all about the backend logic. A lot was done with the endpoint database capture information without any user interaction.

Come to campus, connect using username/password, done for 4 years. (unless you get a new device). Can't ask for a better user experience than that. :)

I suppose so, but then you would need to have all the students in the AD registered...

Every year then you guys need to add all the new students to it unless its done automatically somehow?

 

Cheers

Carlos

Yes, most schools have an identity store already in place for things like email, learning management systems, grades, student records, etc.

Sent from Windows Mail

That identity store works with an active directory or you used somehow  the user and password for the eap peap even if it wasnt AD?

 

Im trying to understand to see if the client got something like that.   I like giving options :)

 

Cheers

Carlos

You can also use the local user database in CPPM for onboard and PEAP. 

So it doesnt need to be  an AD.  Okay

 

Troy do you have a better way of doing what this client want to do ? a more neat one? :)

 

I though in what i posted using clearpass guest and selfregistration, in which tim and victor already told me its possible.

 

Just wondering if ita good way or there is a better way ? :)

Most use AD and sync other systems like LDAP to it and then use LDAP as an authorization source for single sign on systems like Shib/CoSign.

The university where I deployed ClearPass, I used AD for authentication and some authorization and then enterprise LDAP for authorization (hr data, student info, etc)

Sent from Windows Mail

Thanks Tim... ill investigate in this school about that

 

Cheers

Carlos

What you are running into is the most common issue that I see in K-12 customers. For Higher ED 99% of them have some type of auth server in place.

 

What you have line out is the most common way they usually set the system up.

 

The main thing that you need to talk with them is the security aspect. Do they want data coming from staff devices going over the air unencrypted?

 

Onboarding is usually only used for Staff and/or Teachers to make it so they dont have to put in credentials when they connect each time. (you can also accomplish the same with Mac cacheing but you dont get the secure connection)

 

One of the options like I mention before is that you can use the internal database of CPPM to add the users. You can take a CSV file with all the student/Staff names and import them into CPPM and then you could use PEAP or Onboard but then depending on the age of the students that might not be an option, then you would want to use Guest Self-Reg.

 

Another thing to keep in mind is if you do self-reg a lot of my customers do a guest user delete once a week or each night at midnight.

 

Again it all comes down to if they have any type of backend where you can get the students information. It would be less work for the staff. You can do everything in CPPM but you are having a lot of people loging into CPPM so make sure you are locking the sytem down with Role and IP restrictions.

Thanks Troy

Good post! :)

 

Cheers

Carlos

I believe this should all be possible. You definitely need OnGuard for the posture checks. be built and profiling will help you recheck access from smart phones.

For self registration, you could use on board and have it leverage the local user database within clear pass or some other LDAP look up.