Security

Hello, thank you in advance...I'm in over my head here.  We have two Aruba 7210 controllers (master/local) plus one Clearpass VM with only the following clearpass licenses:

 

We have a wifi SSID set up with WPA2-AES and 802.1x and users sign on to the wifi SSID using their Active Directory username and password.  It works ok.  We also have windows active directory computers signing on to the wifi and authenticating as a computer and that seems to work ok.  The problem is how do we do this same type of machine authentication for android, iphone, apple and other devices?  I know we could do mac-address authentication but I'm trying to avoid that.  Basically what we are trying to accomplish is this:

• If userA signs on to the wifi while on a managed, company-owned device then they get this "corp" role.
• If userA signs on to the wifi while on their personal device they get a "guest" role.

I'm not sure how to enforce machine authentication on non-windows devices.  I also noticed my android phone doesn't even attempt machine authentication, only user.  So it further muddies the water.  I looked into EAP-TLS and putting certs on the devices but there's a deluge of info out there and not so many  real-world tutorials of how to set this up using Active Directory, Clearpass and Aruba controllers.  Any help would be appreciated, thanks.

 

#7210

Are you working with an Aruba ClearPass partner? This is a pretty involved configuration.

Only Windows machines joined to a domain can machine auth (although there are some workarounds for Mac OS).



Thanks,
Tim

We bought all our Aruba gear (a ton!) from CDW....I'm thinking we may need to hire them or something....thanks.

If you are not familiar with ClearPass, it would be best to work with a partner. There are a lot of design discussions that need to happen prior to setting all of this up.