Security

Reply
Frequent Contributor I

Endpoint database shared?

Hi,

 

If I have two MAC authenticated networks, are the entries added into the endpoint repository differentiated at all? I am looking to have a two networks, A and B but I want each to have different expiration times. So users who onboard for SSID A have an expiration of say, a week, but users for SSID B have an expiration for say a year. And I don't want users who register on A to be able to then connect on B.

 

How does CPPM store onboarded MAC addresses like that and is there a way with attributes to differentiate them?

 

Thanks.

Guru Elite

Re: Endpoint database shared?

What type of authentication is being used?

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Highlighted
Frequent Contributor I

Re: Endpoint database shared?

Open network with MAC authentication.

 

SSID A would be MAC authentcation with allow all MAC, look for a valid MAC in the repository and active guest account. If false, would send back a role which launches a captive portal to register.

 

SSID B would be MAC authentication as well but would not be set for allow all MAC auths. It would look for an endpoint entry. If not found, would send back a user role to launch a captive portal with an AD over LDAPs login prompt. Upon successful authentication, the MAC would be added to the repository.

 

We're basically trying to get away from dot1x because of local password caching being an issue when users are forced to change their passwords (We're using EAP PEAP w/MSCHAPv2 right now). SSID A is a guest network, SSID B would be for staff. EAP-TLS is my preferred dot1x option, but I'm not sure if we're going to go in that direction at this time. 

Guru Elite

Re: Endpoint database shared?

You’d need to create custom endpoint attributes for each SSID.



Also, I would highly recommend that you go down the EAP-TLS path. MAC randomization is coming in full force in the next 12-18 months and will completely break these workflows that you’ve described.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Frequent Contributor I

Re: Endpoint database shared?

Ahhh MAC randomization? Wonderful. Thanks for your help.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: