Security

Hi,

 

Given that we have applied 802.1x on wired network, there are issues with devices that do no support it.

As we are an university, we have many different types of users (administrative staff, researchers, students etc) and even more weird devices.

 

My idea of a flow for onboarding is:

1. User connects the device to wired network.
2. Device will be redirected to guest registration, but will have no effect, as it's a headless device. A dhcp packet is forwarded to ClearPass, hence it is now profiled.
3. User logs into a self service page I will develop. User can lookup the mac address and take ownership of the specific device.
4. When device is reconnected, it will Mac AUTH and be placed in a vlan dedicated for this kind of device.

Step 1-3 is no problem, but I have a problem in step 4.

My plan is in step 3 to add the attribute "Owner" to the device, and enter the username of the person who has taken ownership of the device.

What i need now, is to configure Clearpass to do Mac Auth and use the device attribute "owner" to lookup in AD to see if that user exists. If i can also check if the user is active and not disable in AD, it would be great, but not nessesary.

 

Does anone have some sort of input on how to achieve this?

 

Br,

Thomas 

Onboarding in ClearPass means certificate issuance. Sounds like you just want to register them. Why not just use the built-in Device Registration portal vs building something custom?

Hi,

 

That is quite possible what I could need.

Do you by any chance have some pointers in how to get started with Device Registration portal?

 

Br,

Thomas

Hi again,

 

I may have answered a bit to quick.

I want to register headless devices. Meaning the device itself have no display and therefor cannot access a regstration page.

 

This is why i wanted a page for registrating the specific device/mac address. This should be done from a computer ot the like.

 

Br,

Thomas

That is exactly how it's built. It has a basic setup out of the box (in Guest go to Create Device) and it can be completely customized.

I found ti was easy to setup the devices.

However, i do no appreciate the interface for my users, and it does not fit our current strategy, so I will make a webinterface afterall.

But now i know where to add them and make then authenticate. :)

 

Br,

Thomas

The interface can be completely customized by user group.

Yes, but they want it as an integrated part of a selfservice portal.

And for the time being, it's easier for them to develop it themselves.

 

If we get my other issue sorted with the API.. :) Different thread.

 

Thanks for the help. I was barking up the very wrong tree as i though i was suppoed to work in endpoints instead of devices. :)

 

Br,

Thomas

You can start off by registering devices via /tips in the ClearPass. Just open Guest and look for Manage Devices.

Then in your service, just make sure you include the authentication source [Guest Device Repository].

 

I set this up in my environment based on the suggestion from Tim and it worked like a champ.

 

Once you have the device authenticating properly, you just need to map a service to the profile for Device Registration and you'll be able to delegate the task to whoever you want.