Security

last person joined: 22 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

TLS certificate vs. Mac Caching - BYOD Registration using CPPM

This thread has been viewed 1 times

  • 1.  TLS certificate vs. Mac Caching - BYOD Registration using CPPM

    Posted May 18, 2016 08:57 AM

    Hello, We have CPPM and use it for BYOD registration. We have 2 wifi networks:  Registration and BYOD. A user associates to the Registration network and goes thru the process.  If they have an IOS device they download a clearpass onboard profile certificate and then a device enrollment certificate.  If they have an Android device they go to the play store and download the Aruba Clearpass quick connect which is then used to provision the device and install the certificates. They then join the BYOD network for communications. 

     

    If they have issues with the above registration process, or they are on a device that doesn't support the traditional onboarding process (certificates), they can register the "alternate method" which MAC caches their client MAC (which gets retained based on the database retention time set in CPPM insight).

     

    My question is this, would there be any benefits or drawbacks from exclusively using the MAC caching method for everyone?    What would those pros and cons be specifically?

     

    Thank you for the insight.

    Sarah



  • 2.  RE: TLS certificate vs. Mac Caching - BYOD Registration using CPPM

    Posted May 18, 2016 09:00 AM

    I don't consider mac caching and using the mac address as very secure. Mac addresses can be spoofed to gain access.  Hence I prefer the more secure certificate based approach you mentioned.  Just my preference.

     



  • 3.  RE: TLS certificate vs. Mac Caching - BYOD Registration using CPPM

    EMPLOYEE
    Posted May 18, 2016 09:02 AM
    Mostly security. Certificates are the golden standard for authentication. 


  • 4.  RE: TLS certificate vs. Mac Caching - BYOD Registration using CPPM

    Posted May 19, 2016 07:49 AM

    Sarah,

     

    On a side note I'm curious what issues you have seen in relation to devices not being able to support certificates.  I had tested apple iphones, ipads and android galaxy devices and they all onboarded with certificas fine.  It sounds like you came across other devices that don't support that onboarding method so you had to revert to mac address etc.  Can you elaborate please.   Thanks



  • 5.  RE: TLS certificate vs. Mac Caching - BYOD Registration using CPPM

    Posted May 19, 2016 08:27 AM

    Thanks, here are some examples of certificate method not working:

     

    The new kindle fires with the Silk browser won't register the certificate way.  Something with the Silk Browser must have changed from the older Fire devices which did work the certificate way.

    I opened a case with TAC and they recommended downloading Google Chrome instead. 


    Occasionally an android will ask for a storage credential password as part of the process. The user inputs their device pin, but it doesn't work, and the user is unaware of what the storage credential would be, says they never set one.

     

    Another example is a windows phone 8, the certificate way isn't supported b/c something with the Windows software needing an update if I remember correctly.

     

    With not maintaining the user devices, since it's BYOD, sometimes we don't have a clue what the device has been thru :) So we kind of use the alternate method as a catch all for those devices that can't be traditionally onboarded certificate way.