We’ve recently enabled a similar open network & allowed gaming & home a/v
devices on w/o the need for registration or additional configuration.
To do this, we’re using Aruba HPE ClearPass. It handles ALMOST all of the
categorizing & classification from DHCP Fingerprints and other voodoo black
magic between itself & our Aruba controllers.
I emphasized almost, because we had to be pretty tuned into what it fails to
classify & make specific exceptions / roles to allow some un-categorized
devices like Roku TVs, Amazon TAP & Fire Sticks. These exceptions could be
seen as security holes so we locked down this new open network even more so
than usual - NAT’ed, no access to internal resources, different IP space,
several common ports restricted. We’ve yet to hear of any complaints from
gamers or streamers alike, but we’ll have to investigate once we do.
Our role assignment does a few things…
1) If categorized as Home AV or Game Console = ALLOW
2) If categorized as one of our 3 exceptions = ALLOW
3) If Computer = JAILED - Captive Portal telling user to use our Secure
802.1x network
4) If MAC Registered = ALLOW
5) If Smart Device = JAILED - Captive Portal telling user to use our
Secure 802.1x network
6) Else, DENIED = JAILED - Captive Portal asking user to get in touch
with us.
We did this after doing a similar change at another school we provide service
for. Except there, we didn’t create a new network, we used the existing WEP
keyed network & skipped checking MAC Registration for categorized devices.
Users still need to configure their device for WEP, but they now no longer have
to register them.
The most impressive device we ran into was the Fire Stick - it displayed a
Captive Portal natively on the device.
Best of luck,
--Raf
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
on behalf of "Cappalli, Tim (Aruba
Security)"
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv
Date: Tuesday, April 11, 2017 at 8:41 AM
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU"
Subject: Re: [WIRELESS-LAN] Amazon echo & Google home
Echo supports captive portal via the phone used for setup.
How is the NAC detecting them? DHCP fingerprinting? Registration?
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
on behalf of "Entwistle, Bruce"
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv
Date: Monday, April 10, 2017 at 5:13 PM
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU"
Subject: [WIRELESS-LAN] Amazon echo & Google home
We are currently using our NAC on a unsecured network to detect gaming devices
and allowing the appropriate devices to connect, then directing other devices
to our 802.1x network. However this solution is currently not available for
the Amazon echo and Google home devices. I was looking to the group to see how
others are providing a wireless connection for these devices.
Thank you
Bruce Entwistle
Network Manager
University of Redlands
** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/discuss.
**
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/discuss.
