Security

last person joined: 10 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Using the guest device repository for authentication in Clearpass Guest

This thread has been viewed 34 times

  • 1.  Using the guest device repository for authentication in Clearpass Guest

    Posted Sep 05, 2018 06:37 AM

    Hi,

     

    I'm looking for a way to register students consoles which don't support WPA2-Ent and have come across a few articles suggesting registering them in the guest device repository on Clearpass Guest.

    To do this would i be best to add this as an authentication source in the Guest MAC authentication? 

    This would appear like it might work, but the MAC auth fails due to attributes it looks for in the insight repository. (which was in by default).

    Is this setting neccessary or is there a better way to do this?

     

    thanks 



  • 2.  RE: Using the guest device repository for authentication in Clearpass Guest

    Posted Sep 05, 2018 07:24 AM
    What does your enforcement policy look like? It seems the authentication isn't matching anything in you enforcement and being rejected.



  • 3.  RE: Using the guest device repository for authentication in Clearpass Guest

    Posted Sep 05, 2018 09:10 AM

    guestconnect4.JPG

    This is the enforcement policy. Again its on the default setup. Role will equal guest , but it looks like the insight repository is whats killing it. Does this play a key part security wise for auth?



  • 4.  RE: Using the guest device repository for authentication in Clearpass Guest

    Posted Sep 05, 2018 07:44 AM

    We're just about to roll this out here. Starting with Game Consoles only and restricting who can connect to a WPA2-PSK net based upon their DHCP signatures

    Netx step os a batch of airgroup aware devices. 

    We have 

    1). PSK net with easy to remember PSK

    2). Clearpass Guest device registration

    3).Mac auth using [Guest Device Repository]

    4). Role based enforcement

    Rgs

    A



  • 5.  RE: Using the guest device repository for authentication in Clearpass Guest

    Posted Sep 05, 2018 09:11 AM

    We've killed all our PSK networks. They just aren't secure enough and we can't identify specific users on them which is a key requirement for us.



  • 6.  RE: Using the guest device repository for authentication in Clearpass Guest

    EMPLOYEE
    Posted Sep 05, 2018 09:13 AM
    You're missing the rules to check for the registered devices.


  • 7.  RE: Using the guest device repository for authentication in Clearpass Guest

    Posted Sep 05, 2018 09:16 AM
    Yeah, what Tim said above.

    You could very easily get this working by adding a rule to your enforcement which says:

    If authentication source equals guest device repository -> Allow access

    This may not be the best way to get it working but should point you in the right direction.


  • 8.  RE: Using the guest device repository for authentication in Clearpass Guest

    Posted Sep 05, 2018 09:20 AM

    Thanks, I was hoping to make sure i was doing this in the most secure manner. I didnt want to just hack a solution in if it was going to bypass recommended measures.  Are the insight rules even needed?



  • 9.  RE: Using the guest device repository for authentication in Clearpass Guest

    EMPLOYEE
    Posted Sep 05, 2018 09:25 AM
    No, you can use the newer way with the MAC-Auth Expiry attribute. Take a look at the ClearPass Solution Guide for Wired Policy Enforcement for examples of a device registration plus guest policy. It's essentially the same wired vs wireless.


  • 10.  RE: Using the guest device repository for authentication in Clearpass Guest

    EMPLOYEE
    Posted Sep 05, 2018 09:28 AM

    In additin to Tim's comment above, ensure the place the [Guest Device Repository] above the [Endpoint Repository] under the authentication sources.