Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Only Allow Devices We Own on the Wifi - Clearpass, Controllers, Anything Better than Mac Auth?

This thread has been viewed 1 times

  • 1.  Only Allow Devices We Own on the Wifi - Clearpass, Controllers, Anything Better than Mac Auth?

    Posted Jul 20, 2015 06:21 PM

    Thank you in advance, my google-fu is lacking...  We've got two Aruba 7210 controllers and Clearpass and everything works ok for user auth for our 802.1x SSID....the problem comes in when we want to say, "allow THIS iPad on the wifi but not this other one."....we have iPads, android phones, iphones, windows laptops, TI-82 calculators (jk), etc. but we do not currently have a MDM solution to easily put certs,etc on these devices.  Our clearpass endpoint database is filling up with tons of devices and I see where you can mark them "known" or "unknown" but I don't see how to give the user/device a different role based on the device they are on.  Also, can we do anything with "device profiling" so it is a little more secure than just mac-address authentication only?  Hope that makes sense, thanks.


    #7210


  • 2.  RE: Only Allow Devices We Own on the Wifi - Clearpass, Controllers, Anything Better than Mac Auth?

    EMPLOYEE
    Posted Jul 20, 2015 06:23 PM
    What will be the source of the device ownership?


    Thanks,
    Tim


  • 3.  RE: Only Allow Devices We Own on the Wifi - Clearpass, Controllers, Anything Better than Mac Auth?

    Posted Jul 20, 2015 06:28 PM

    The company I work for would buy a bunch of devices (ipads, android phones, etc) and we would only want these phones to get on the corp network, so like get the "corp" role...but if the same user signed on with their personal ipad they should only get the guest role...hope that makes sense, thanks.



  • 4.  RE: Only Allow Devices We Own on the Wifi - Clearpass, Controllers, Anything Better than Mac Auth?

    EMPLOYEE
    Posted Jul 20, 2015 06:30 PM
    You can either issue then certificates from a different CA or mark the MAC in the endpoints database as corporate.


    Thanks,
    Tim


  • 5.  RE: Only Allow Devices We Own on the Wifi - Clearpass, Controllers, Anything Better than Mac Auth?

    Posted Jul 20, 2015 06:32 PM

    Ok, thanks.  yes I was trying to avoid certs for now due to the myriad different devices but is there a way to also use clearpass "profiler" so that someone couldn't spoof an android mac address on their windows laptop?  So for example, only allow this mac address on if the device fingerprint matches what is in the clearpass endpoint db (Andoird OS, version, etc.)..

     



  • 6.  RE: Only Allow Devices We Own on the Wifi - Clearpass, Controllers, Anything Better than Mac Auth?
    Best Answer

    EMPLOYEE
    Posted Jul 20, 2015 06:36 PM
    Well, kind of. The problem is a profile might return Windows, but the MAC is an Intel MAC.

    Profile conflicts really come into play when a device category changes. Like "Computer" becoming a "Printer"

    Certs really is the only secure, reliable way.


    Thanks,
    Tim


  • 7.  RE: Only Allow Devices We Own on the Wifi - Clearpass, Controllers, Anything Better than Mac Auth?

    Posted Jul 20, 2015 06:37 PM

    Ok, thanks!

     



  • 8.  RE: Only Allow Devices We Own on the Wifi - Clearpass, Controllers, Anything Better than Mac Auth?

    EMPLOYEE
    Posted Jul 20, 2015 06:42 PM
    If you just want to take different action if the profile changes, you can use the profile conflict attribute in your enforcement.


    Thanks,
    Tim