Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Posture Check Guest Mobile Devices

This thread has been viewed 2 times

  • 1.  Posture Check Guest Mobile Devices

    MVP
    Posted Nov 20, 2014 09:57 AM

    Hi All,

     

    I am doing a ClearPass install and we are doing posture checking on the Guest network. The service is built and working fine, but we want to bypass the posture check for mobile devices as they are not capable of it.

     

    I tried adding role mapping policies that looked at "Authorization:[Endpoint Repository]-Device Category-SmartDevice" and also tried "RADIUS:Aruba-Aruba-Device-Type EQUALS iPhone"

     

    but the problem is the device is not always sending the information. We are doing an Allow All MAC Auth and depending on the device we are either sending them to a role with the posture check captive portal or just the self-registration.

     

    How do I get the devices to consistently send the device type or be profiled with the device category?

     

    Please see attacheed images for example.

     

    Thanks.



  • 2.  RE: Posture Check Guest Mobile Devices
    Best Answer

    EMPLOYEE
    Posted Nov 20, 2014 09:59 AM

    You need to enable profiling on your service and select Smartdevices from the drop down.

     

    Then in your service, write a rule that says Endpoints Repository: Device Category NOT_EXISTS, return a controller role that just allows DHCP (logon role works great for this).

     

    This will force the device to be profiled and then bump the user so authentication can continue. This would only happen the first time the device is seen on the network.

     

    Make sure you have the endpoints repository as an authorization source. 



  • 3.  RE: Posture Check Guest Mobile Devices

    MVP
    Posted Nov 20, 2014 10:04 AM

    Thanks, I will give it a try and let you know.



  • 4.  RE: Posture Check Guest Mobile Devices

    MVP
    Posted Nov 20, 2014 11:11 AM
    So I went through the configuration and also found out that I did not have the RFC3576 Shared Key configured on the controller. Fixed that and went through with your configuration and worked. Thanks for the help!


  • 5.  RE: Posture Check Guest Mobile Devices

    Posted Nov 20, 2014 11:24 AM

    Make sure you have DHCP helpers pointed to CPPM and/or add IFMAP for the controller to send additional info. 

     

    I actually reverse the logic for OnGuard and only enforce for device category computer. Then everything else falls through. 

     

    onguard.png

     

    The real question though is if the guest network is configured properly (ie no access to production networks etc), why go through the hassle of posture checking on those devices?



  • 6.  RE: Posture Check Guest Mobile Devices

    EMPLOYEE
    Posted Nov 20, 2014 11:31 AM
    jclingan,

    The problem with not forcing a profile role is you may not know what the device is for the first authentication which can cause issues for clients when they're in the wrong role.

    Using a profile check, you can alleviate this.


  • 7.  RE: Posture Check Guest Mobile Devices

    Posted Nov 20, 2014 11:34 AM

    cappalli - yeah I agree. Its good practice and I always make a "not profiled" rule/role and put it at the top of my enforcement policy.