Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

PSK and ClearPass

This thread has been viewed 19 times

  • 1.  PSK and ClearPass

    Posted May 15, 2014 05:11 AM

    Hi

     

    A customer need a SSID to have WPA2-PSK as authentication method to be able to connect devices that do not support 802.1x och Captive Portal.

    But they would like to be able to grand only specific devices access to this SSID by letting ClearPass verify if the device is approved or not.

     

    Is it possible to combine WPA2-PSK authentication with an additional check sent to ClearPass? Maybe a auhtorization request?

     

    Best Regards

    Jonas Erlund Hammarbäck

     

     



  • 2.  RE: PSK and ClearPass

    EMPLOYEE
    Posted May 15, 2014 05:46 AM

    You would need to find the AAA profile for the WPA2-PSK WLAN and add a mac authentication profile to it.  http://www.arubanetworks.com/techdocs/ArubaOS_63_Web_Help/Web_Help_Index.htm#ArubaFrameStyles/MAC_Authentication/Configuring_MAC_Based_Au.htm

     

    You would then setup mac-based authentication in ClearPass (I don't have a web link for that, but it should be in the help).



  • 3.  RE: PSK and ClearPass

    Posted May 15, 2014 06:01 AM

    Thank you!

    We will test this approach.

     

     



  • 4.  RE: PSK and ClearPass
    Best Answer

    EMPLOYEE
    Posted May 15, 2014 08:16 AM

    Keep in mind as well that Clearpass offers a unique authentication source called "Allow All MACAUTH"  WIth this, we can leverage other context outside of maintaining a MAC address database for these users.

     

    Essentially, Clearpass will allow any MAC address as valid for mac auth purposes.  Then, with policy, you can assign roles or deny access based on other variables such as:

     

    MAC OUI (Connection:Client-MAC-Address BEGINS WITH <value>)

    MAC Vendor (Connection:Client-MAC-Vendor CONTAINS <value>)

    Profile Info (Authorization:[Endpoints Repository]:Category OR OS Family CONTAINS <value>)

    Hostname (Authorization:[Endpoints Repository]:Hostname CONTAINS <value>)

     

    Or even a Custom Attribute YOU add to the Endpoint DB record for the device

     

    All in all, you can write a very secure/granular policy without having to maintain specific MAC addresses



  • 5.  RE: PSK and ClearPass

    Posted May 15, 2014 09:10 AM

    The method  "Allow All MACAUTH" combined with custom attributes in the Endpoints Repository will be the best solution for our porposes as I can see now.

     

    Thanks for the tip!

    Regards

    Jonas Erlund Hammarbäck



  • 6.  RE: PSK and ClearPass

    Posted May 18, 2016 05:29 PM

    I love when a "Search Airheads" hit gives me exactly what I need to solve today's (current) problem!

    Thanks everyone!