Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

PSK SSID + Endpoint Repository for role assignment?

This thread has been viewed 4 times

  • 1.  PSK SSID + Endpoint Repository for role assignment?

    Posted May 26, 2017 11:19 AM

    We've got a PSK SSID in use globally that's pretty well entrenched in our organization, and due to varying configurations it's turned into a very mixed-use network.  What I'd like to do is steer mobile devices into a specific role/vlan, while leaving our bridges and other headless devices in the authenticated role.  I've tried user derivation rules with DHCP thumbprints to do this but the results have been very poor (sub 10% hit rate). Rather than tearing it out and reconfiguring thousands of devices, I'd like to leverage the CPPM Endpoint Repository so that if the device name was, for example, iPhone it would hand the appropriate Aruba-User-Role back to the controller.

     

    Is this possible?  I've stepped through a few different configurations that I thought might work but I'm not even seeing requests in access tracker.



  • 2.  RE: PSK SSID + Endpoint Repository for role assignment?
    Best Answer

    EMPLOYEE
    Posted May 26, 2017 11:29 AM
    Yes, you’d create a basic MAC authentication service with [Allow All MAC Auth] and build policies that return back a user-role and VLAN-name combination.

    It’s also recommended to use the Device Registration portal in ClearPass to register those headless devices and assign a role and owner.

    Be sure to enable MAC Authentication in your AAA profile on the controller.


  • 3.  RE: PSK SSID + Endpoint Repository for role assignment?

    Posted May 26, 2017 11:53 AM

    Thanks Tim, that works perfectly!

     

    -Josh.