Security

last person joined: 13 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Device visibility with AirGroup + ClearPass

This thread has been viewed 2 times

  • 1.  Device visibility with AirGroup + ClearPass

    Posted Mar 04, 2020 10:24 AM

    We are an Aruba (arubaOS 8.5.0.5) shop and are evaluating AirGroup + ClearPass (6.8.4) to provide students a more home-like experience in their residence halls. That is, we would like students to be able to register and see only their registered devices.

     

    If a user registers a device in ClearPass, is that device visible to non-registered devices (or devices registered to another user) -- even if the devices are associated with the same AP?

     

    We have received conflicting answers from our Aruba SEs, account exec, and TAC, so we are hoping to learn how to limit device visibility from others who are using ClearPass.



  • 2.  RE: Device visibility with AirGroup + ClearPass

    EMPLOYEE
    Posted Mar 04, 2020 10:28 AM

    If the device is registered as AirGroup "Shared" with no other restrictions (role, location, etc), it will be visible to all users.

     

    Any device registered as AirGroup "Personal" will only be visible to other devices that have authenticated with the same identity (username), and up to 10 additional usernames can be added (roommates, etc).

     

    It is recommended that students only be allowed to register as Personal and leave "Shared" to fac/staff and IT.



  • 3.  RE: Device visibility with AirGroup + ClearPass

    Posted Mar 04, 2020 10:47 AM
    In ClearPass you have the ability to assign a Shared or a Personal role to the device
    If the device is registered as Personal , only the user that registered the device will be able to see the device. The user can also share the device with other users (username)
    If the device is registered as Shared , you have different options to share the device :

    * Based on the user-role
    * Based on the AP
    * Based on the AP-Group

    Sent from Mail for Windows 10


  • 4.  RE: Device visibility with AirGroup + ClearPass

    Posted Mar 04, 2020 11:12 AM

    Do we need to block traffic between clients (check 'Deny inter user traffic' on the vap profile) to make this work?

     

    We have not been able to make this work. We have a TAC case open (for many weeks) and they assure us that a user will always see other devices associated to the same AP, regardless of whether these devices are registered. Any ideas why TAC would be so insistent that this is the case?



  • 5.  RE: Device visibility with AirGroup + ClearPass

    EMPLOYEE
    Posted Mar 04, 2020 03:31 PM

    AirGroup only controls SSDP and mDNS advertisements. It does not control user datapath. Inter-user traffic cannot be denied or restricted if you're using AirGroup.