Security

last person joined: 8 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Ways to Block IOS/Android to Internal Network

This thread has been viewed 3 times

  • 1.  Ways to Block IOS/Android to Internal Network

    Posted Nov 10, 2019 05:43 PM

    Currently we have single rule in clearpass server for Wireless devices.

    this includes corporate devices(laptops and iOS devices).

     

    all iOS devices are managed by MDM so that part is fine.

    What we wish to achieve is block all iOS/Android devices accessing internal network with exception of Aiprint and few other services.

     

    is ACL the best way to acheive this?

    is it best to spilt the policy for iOS/Android and Laptops?

     

    We are using clearpass 6.10 and also have aruba central.



  • 2.  RE: Ways to Block IOS/Android to Internal Network

    Posted Nov 11, 2019 03:49 AM

    If you're working with Aruba user roles, I would recommend to define an user-role for corporate devices (laptops) and another user role for MDM (IOS). 

     

    Then you can apply different policies per user-role. 


    For example, block all internal traffic for IOS user-role. 

     

     

     

    if you're not working with user role, you should put the IOS device to another VLAN-id which is limited to internet. 

     

     

     



  • 3.  RE: Ways to Block IOS/Android to Internal Network

    Posted Nov 11, 2019 04:28 PM

    we are working with user role for both wired and wireless network.

    so am  i meant to create user role in Aruba Central or in Clearpass?

     

     



  • 4.  RE: Ways to Block IOS/Android to Internal Network

    Posted Nov 12, 2019 05:25 AM

    You need to create on both side ClearPass and Aruba Central (I guess you manage your APs and switches from Central ?). 

     

    On ClearPass, you will return the user-role to your NAD (AP or switch), so let's say on the enforcement profile if it's an IOS/Android phone, you will return a user role : mobile-user-role. If it's a corporate device, you will return a user role : corporate-user-role. 

     

     

    Then on Aruba Central, you will define those user role for your switches and APs with specific configuration like : 

     

    mobile-user-role : 

    1. vlan-id 500 
    2. policy "restricted" (this policy should contains restrive acls for internal subnets).

    another solution would be to have a vlan which terminate to a firewall and here you only allow internet access

     

    corporate-user-role : 

    1. vlan-id 10 
    2. policy "unrestricted" (here create acl which all access to internal subnets)

    otherwise, let's say your vlan 10 terminate to a firewall and you allow here access to internal subnets and internet

     

     

     



  • 5.  RE: Ways to Block IOS/Android to Internal Network

    Posted Nov 12, 2019 05:15 PM

    thats one hell of an explanation. 

    thank you so much.

     

    we manage AP from central but not the switch.

    do you reckon its better to create 2 separate policy for this