Security

last person joined: 23 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Keeping MAC Authenticated Devices off the 802.1x authenticated SSID

This thread has been viewed 0 times

  • 1.  Keeping MAC Authenticated Devices off the 802.1x authenticated SSID

    Posted Aug 26, 2015 02:56 PM

    I am certain I read once how you can do this but I am unable to find a thread now.

     

    I have a SSID where all of the devices are MAC Authenticated and another SSID on which users are authenticated using 802.1x against our Active Directory.  The MAC Authenticated devices are supposed to be kept on their own SSID but I have users that keep moving to the 802.1x SSID. I need to find a way to prevent a device which has previously been MAC authenticated from being moved from its intended SSID.

     

    I am using ClearPass as my MAC Auth server as well as the RADIUS server for the 802.1x. Is there some way I can build a policy to prevent users from connecting their MAC Auth'd devices?

     

    Thanks in advance



  • 2.  RE: Keeping MAC Authenticated Devices off the 802.1x authenticated SSID

    EMPLOYEE
    Posted Aug 26, 2015 02:58 PM
    What attributes do you have tied to the endpoint record in the endpoints
    repository? Keep in mind that MAC address can be spoofed and they would
    still be able to get onto the 802.1X network with valid credentials.


  • 3.  RE: Keeping MAC Authenticated Devices off the 802.1x authenticated SSID

    Posted Aug 28, 2015 10:59 AM

    Hi Tim,

     

    When Mac Authenticated devices connectet to the correct SSID I am updating the endpoints repository using the "Ownership" attribute. I think the best thing for me to do from there is to create a policy on the 802.1x SSID that denys acces to any device with the correct value in the "Ownership" feild. In otherwords, any device which has previously been on the MAC Authenticated SSID will not be permitted on the other SSID. Likewise, if the "Ownership" feild is empty, the client device would not be permitted on the MAC Authenticated SSID.

     

    Just wondering if there is a better way, or this this method has any shortcomings.

     

    All of these MAC authenticated devices are smartphones and I wonder if there is a way that I can gete the IMEI of the phone into the ClearPass Endpoints Repository other than by means of an MDM Server. If this is possible, I could use the IMEI to create a whitelist. This would be much more difficult to spoof than a MAC address would.

     

    Thanks



  • 4.  RE: Keeping MAC Authenticated Devices off the 802.1x authenticated SSID
    Best Answer

    MVP
    Posted Aug 28, 2015 11:28 AM

    Saving an attribute with the endpoint can work.

    If you want to keep ALL smart devicess of the dot1x network you can also use the corresponding device category to do this.

    Neither is bulletproof.

     

    The best way would be to do machine authentication if all the machines you do allow on the dot1x network can do that. 



  • 5.  RE: Keeping MAC Authenticated Devices off the 802.1x authenticated SSID
    Best Answer

    EMPLOYEE
    Posted Aug 28, 2015 11:31 AM

    I wouldn't use the "Ownership" attribute. I would recommend creating your own.

     

    You can then tick that attribute to true when the device authenticates on the 802.1X network. Then for the first rule in your MAC-auth service, check to see if that attribute is true and then take either deny or captive portal enforcement action.