Security

I have several corporate macbooks that I need to get on our network.  Before owning ClearPass, we would manually generate certificates for devices and import them on the device for EAP-TLS authentication.  Now that we own CP w/onboarding, I think I'd like to onboard the Macbooks.  I want to lock down onboarding to only corporate Macs and only have a few ideas of how to do this:

 

• Maintain static host list of corporate iPads
• Enroll the Macs in Airwatch and poll external context server to verify device is enrolled and coporate assett.

 

Just looking to brainstorm here, and get ideas of how others are securely getting corporate macs on their network.

Those are the most common process. We have also had a few customers

1. lock it down so you could onload only on 1 AP

2. Have a approval process like you would with sponsored guests

Thanks Troy.  Very good ideas.

 

How would you do option #2, though? 

There should be another post on this about a month ago. I'll have to take a look tonight when I get back.

Essentially you will need to setup a sponsor guest setup where the final redirect would end at the on boarding page

Cool. Look forward to getting some more info on it.

 

Only one concern about redirectring the user to the onboarding page after sponsor approval. Is it possible to lock down access to the onboarding page?  How would you keep someone from just typing in the name of the onboarding page and onboarding?

Yes that is the challenge. :smileyhappy:

 

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Clearpass-Onboarding-by-IT-admins-only-not-by-employees/m-p/117021/highlight/true#M7701

 

I comes down to how your network is setup you might have to get creative.

 

I have one cutomer that has provisioning allowed on one AP and they have the power turned way down so you have to be in the IT office to connect to it.

 

I have another that put in the IP restriction in the weblogin where when they go throught the Self-Reg page they get a 192. address and once the user can click the login button they send a COA and role chage to the production VLAN with an allowed IP. 

 

 

I guess we should open this up and get some other suggestions and I will put together a KB and arubapedia page with options you can chose from.

Thanks Troy. Getting some really good ideas out of this.

Another issue I'm facing is that several Macs are shared by multiple users.  Currently, they all use one user account on each mac, but I'd like that policy to change so that each person requires a separate login.  When onboarding, you can make the cert for the user or the system.  It probably makes most sense to install the cert/profile for the user, rather than have a single cert tied to the system.  That being the case, I may have several people logging into multiple macs, which means each user would need to "onboard" when they login to a mac they haven't previously used, right?  If that's the case, is there a way to say for a certain group of people, they're allowed to onboard X number of times rather than use the global onboard limit?

Send you a PM on this one