Security

Reply
Highlighted
Contributor I

Using the guest device repository for authentication in Clearpass Guest

Hi,

 

I'm looking for a way to register students consoles which don't support WPA2-Ent and have come across a few articles suggesting registering them in the guest device repository on Clearpass Guest.

To do this would i be best to add this as an authentication source in the Guest MAC authentication? 

This would appear like it might work, but the MAC auth fails due to attributes it looks for in the insight repository. (which was in by default).

Is this setting neccessary or is there a better way to do this?

 

thanks 

Highlighted

Re: Using the guest device repository for authentication in Clearpass Guest

What does your enforcement policy look like? It seems the authentication isn't matching anything in you enforcement and being rejected.


Cheers
James
----------------------------------------------------------------------
--------------------------@whereisjrw--------------------------
---------------------------------blog-------------------------------
ACCX #540 | ACMX #353 | ACDX #216 | AMFX #11
----------------------------------------------------------------------
----------------------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
Highlighted

Re: Using the guest device repository for authentication in Clearpass Guest

We're just about to roll this out here. Starting with Game Consoles only and restricting who can connect to a WPA2-PSK net based upon their DHCP signatures

Netx step os a batch of airgroup aware devices. 

We have 

1). PSK net with easy to remember PSK

2). Clearpass Guest device registration

3).Mac auth using [Guest Device Repository]

4). Role based enforcement

Rgs

A

Highlighted
Contributor I

Re: Using the guest device repository for authentication in Clearpass Guest

guestconnect4.JPG

This is the enforcement policy. Again its on the default setup. Role will equal guest , but it looks like the insight repository is whats killing it. Does this play a key part security wise for auth?

Highlighted
Contributor I

Re: Using the guest device repository for authentication in Clearpass Guest

We've killed all our PSK networks. They just aren't secure enough and we can't identify specific users on them which is a key requirement for us.

Highlighted
Moderator

Re: Using the guest device repository for authentication in Clearpass Guest

You're missing the rules to check for the registered devices.


If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

Highlighted

Re: Using the guest device repository for authentication in Clearpass Guest

Yeah, what Tim said above.

You could very easily get this working by adding a rule to your enforcement which says:

If authentication source equals guest device repository -> Allow access

This may not be the best way to get it working but should point you in the right direction.

Cheers
James
----------------------------------------------------------------------
--------------------------@whereisjrw--------------------------
---------------------------------blog-------------------------------
ACCX #540 | ACMX #353 | ACDX #216 | AMFX #11
----------------------------------------------------------------------
----------------------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
Highlighted
Contributor I

Re: Using the guest device repository for authentication in Clearpass Guest

Thanks, I was hoping to make sure i was doing this in the most secure manner. I didnt want to just hack a solution in if it was going to bypass recommended measures.  Are the insight rules even needed?

Highlighted
Moderator

Re: Using the guest device repository for authentication in Clearpass Guest

No, you can use the newer way with the MAC-Auth Expiry attribute. Take a look at the ClearPass Solution Guide for Wired Policy Enforcement for examples of a device registration plus guest policy. It's essentially the same wired vs wireless.


If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

Highlighted

Re: Using the guest device repository for authentication in Clearpass Guest

In additin to Tim's comment above, ensure the place the [Guest Device Repository] above the [Endpoint Repository] under the authentication sources.


Thanks,
Saravanan

Did something you read in the Community solve a problem for you? If so, click "Accept as Solution" in the post.
NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: