Security

what i am trying to achieve is to only allow authorized ipad user via mac address as well as windows client to collect to the wireless. 

 

the problem i have now is that CPPM can only get the mac address of the devices when a device tries to connect. It can't get the profile of the device. It seems like only when the client get connected then the profile appear. is there any solution to it? thanks

You need to enable profiller in your service.

 

In your enforcement you need to set a rule that states device profile is unknown allow limited access. Most just allow DHCP and DNS. Once the device gets profiled it will bounce the user and they will then reconnect and the profile will be present. 

 

 

 

 

hi thanks for the solution, but i can only try next Monday. please bare with me for a couple of questions.

 

1) can i say that in order to get profiled, the client has to get an IP address?

2) inside the 'Unknown' profile, i just need to return a role with limited access and terminate?

3) is Profiler necessary and don't mind if can summurise the purpose of enabling it? Because even without profiler being enable, i can still can get profile as long as the client is connected.

 

Thanks. 

1. Yes
2. Yes
3. No but it's the easiest way to know if a device is profiled or not and then bounce when it is profiled. It's a chicken and the egg issues. You must get an IP to be profiled.

hi, thanks for the reply once again. i am still a bit unclear. please bare with me. 

 

if i selected the profiler tab and configured the same way you did in the service. that means if my device is profiled, the session will be terminated right? so when it's terminated, it will try to connect again? won't this be a kind of loop? keep terminating and keep connecting? 

 

 

No the way the rule works in the enforcement is that it's looking for devices that are not profiled. Once it's profiled that rule is ignored.

hi, yes i do know about the enforcement tab, what I meant was the Profiler tab. base on your 'Profiler Tab' sample, am I right to say that as long as it has a profile, do a termination. and once terminated, the client will connect again and will hit the same service. won't it hit this 'Profiler' again? 

sorry am quite confused here.

Profiler will only trigger once on a device. Once a device is profiled that bounce will not happen again until the device is removed from CPPM either by manual delete or cleanup.

ok thanks, now I get the picture. but which tab comes first? does it follow the order of how it's being displayed? meaning that profiler comes after enforcement?

if that is the case, in my unknown profile I don't really have to terminate the session right? meaning once I am assigned with a restricted role, i am profiled as the same time. and so I will be terminated via the 'profiler' tab.

my concern is if I were to terminate straight after client get the role, would there be sufficient for the cppm to grab the profile?

or it doesn't matter? it's just termination via the enforcement profile or the profiler.

Correct. The terminate is triggered by profiler after CPPM gets a copy of the dhcp and the device is profiled. You do not put a terminate in your enforcement.

hello, i tried the method but when my client connect the 2nd time, the 'isProfiled' is still false despite being able to get the category and device name. why is it so? please see attached. thanks

 

Instead of using" IsProfiled", do Category NOT_EXISTS.

other than dhcp and dns, what else do we need to allow? i tried to allow only dhcp and dns but it can't seems to work, but when i assign the user with guest role it works. any idea? thanks

You have a profile. Just change your logic to what I said in the previous post.

yup I have changed. it works when if assign the unknown profile to guest role but not when I assign with a role which only allows access to dhcp/dns. I am wondering what else do I need to allow for the temporary role. thanks

Try with different devices. Testing profiling can be difficult because it only happens on the DHCP discover which won't happen when trying the second, third, fourth time etc.