Security

Reply
Occasional Contributor II

How can I block Linux/Unix Computers

What is the simplest way to setup a configuration in clearpass to block Linux and Unix OS machines from connecting to our 802.1x SSID.  Currently we use CPPM to do machine and user auth and assign roles and vlan steering accordingly based on AD user and machine Auth.  

MVP Expert

Re: How can I block Linux/Unix Computers

Hi

If you make sure that you do dhcp profiling then ClearPass knows the OS and you can block on that.

Setup the first rule in the enforcement to deny access to Linux os

Cheers, Frank
AirHeads MVP Expert |AMFX#22| ACCX#613| ACMX#733| ACDX#744

If you like my posts, kudo's are welcome. If it solves your problem, please click 'Accept as Solution'
MVP Guru

Re: How can I block Linux/Unix Computers

If the requirement is that only users with domain laptops can connect then you can create a policy that only allows [machine authenticated] + [user authenticated] = allow access and the rest will be denied by the default profile applied under the policy .

Another method you can use to deny access is use the profiling data in the endpoint database and add it in. Your enforcement policy , Endpoint > OS Family = Linux > Deny Access



Thank you

Victor Fabian

Pardon typos sent from Mobile
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor II

Re: How can I block Linux/Unix Computers

So thats exactly what I did I created a Role Mapping policy for Enpoint OS Type Contains Linux or Radius:Aruba-Aruba-Device-Type Contains Linux. I did not however set enforcement policy for it yet because I want to see what devices it role mapps and it seems to catch Android Tablet/Phone devices as well.  Those devices are approved, Linux/Unix Laprops are not,  how can I exclude the Andriod devices from getting this Role applied to them?

 

MVP Expert

Re: How can I block Linux/Unix Computers

Hi

Include device category computer in the enforcement. Android devices are profiled as smart devices not computers.

Hope it helps.

Cheers, Frank
AirHeads MVP Expert |AMFX#22| ACCX#613| ACMX#733| ACDX#744

If you like my posts, kudo's are welcome. If it solves your problem, please click 'Accept as Solution'
Occasional Contributor II

Re: How can I block Linux/Unix Computers

You mean Device Type Correct when creating the Mapping Rule?

Occasional Contributor II

Re: How can I block Linux/Unix Computers

cppm-rolemapping.JPG

 

 

MVP Expert

Re: How can I block Linux/Unix Computers

hi

Use this one Authorization:[Endpoints Repository]:Category CONTAINS Computer) and make sure you add the Endpoint Repository as an authorization source in the service

As Victor explained : http://community.arubanetworks.com/t5/Security/Enforcement-profiles-based-on-device-category/m-p/288983#M30442

Cheers, Frank
AirHeads MVP Expert |AMFX#22| ACCX#613| ACMX#733| ACDX#744

If you like my posts, kudo's are welcome. If it solves your problem, please click 'Accept as Solution'
Occasional Contributor II

Re: How can I block Linux/Unix Computers

cppm-rolemapping.JPGHere is the adjusted rule

MVP Expert

Re: How can I block Linux/Unix Computers

hi

 

I would not use the Radius part and replace it with:

 

Authorization:[Endpoints Repository]OS Family equals 

linux

 

And make sure the endpoints repository is an authorization source

Schermafbeelding 2018-09-05 om 21.48.56.png

 

Hope it helps

 

 

Cheers, Frank
AirHeads MVP Expert |AMFX#22| ACCX#613| ACMX#733| ACDX#744

If you like my posts, kudo's are welcome. If it solves your problem, please click 'Accept as Solution'
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: