Higher Education

Reply
This is an open group. Sign in and click the "Join Group" button to become a group member and start posting.
Highlighted
New Contributor
Posts: 11
Registered: ‎08-18-2015
Wireless Design - Is this Feasible

We have been running an open SSID on campus for several years - long story, please no coments. We are looking into securing access but want to kep things simple and accessible. Is ther a way with a single WLAN to get to 802.1x for protected traffic then fall through to a captive portal using clearpass?

Guru Elite
Posts: 8,643
Registered: ‎09-08-2010
Re: Wireless Design - Is this Feasible
If authentication passes, you can drop to a captive portal based on the
role. You cannot fail open on a wireless 802.1X network.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor II
Posts: 146
Registered: ‎05-12-2010
Re: Wireless Design - Is this Feasible

In ClearPass, you can set whatever role you wish, including a captive portal logon role, for authentication failure. 

 

You might be able to use ClearPass Guest to accomplish this. 

 

We have an open mac auth SSID that fails to a captive portal role.

 

We have found it best to send a RADIUS accept for the failed auth and set the role. IF you do not use the RADIUS accept, it should work with Aruba wireless, but we have found things work morwe reliable with the Accept.

Bruce Osborne - Wireless Engineer
ACCP, ACMP
Guru Elite
Posts: 8,643
Registered: ‎09-08-2010
Re: Wireless Design - Is this Feasible
Just an FYI. The benefit of doing a reject over an accept is that a license
is not consumed which is helpful for drive bys on an open network.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
New Contributor
Posts: 11
Registered: ‎08-18-2015
Re: Wireless Design - Is this Feasible

Thanks, for replying. I read in another post - 247277, that sounded like what we want to do.

Single SSID with 802.1x for devices that support it - push config to AD devices or on-board.

Splash page for those that do not - Guest Access

White listed MAC address that we want to allow on

White list devices that a user can Auth against AD.

 

We have had clearpass but it has not been put into production. My backgroupnd is MSM and Cisco so I am not sure how CP can play into what we want.

Guru Elite
Posts: 8,643
Registered: ‎09-08-2010
Re: Wireless Design - Is this Feasible
A typical university design would be:

802.1X network for all university users with devices that support it.

An open network with MAC-auth for guests and headless devices like game consoles, media players, printers, etc. Those device can be pre registered by end users using the device registration portal.


Sent from Nine<>

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor II
Posts: 146
Registered: ‎05-12-2010
Re: Wireless Design - Is this Feasible

cappalli wrote:
A typical university design would be:

802.1X network for all university users with devices that support it.

An open network with MAC-auth for guests and headless devices like game consoles, media players, printers, etc. Those device can be pre registered by end users using the device registration portal.


Sent from Nine<>

This is exactly what we do at Liberty University. We also have an open SSID for guest, controlled by a ClearPass Guest portal.

Bruce Osborne - Wireless Engineer
ACCP, ACMP
New Contributor
Posts: 11
Registered: ‎08-18-2015
Re: Wireless Design - Is this Feasible

When i was working with other venor products that is how i would set it up, open guest ssid and another protected by 802.1x. What i found was when a user would take their laptop home and conenct to their wlan, or starbucks, or ...,  then come back they would from time to time connect to the open ssid instead of the preferred protected ssid.

 

I was hoping for an easier solution.

Guru Elite
Posts: 8,643
Registered: ‎09-08-2010
Re: Wireless Design - Is this Feasible
They will only connect to it automatically if they have it saved on their laptop. If users connect to it, they need to forget it.

Sent from Nine<>

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor II
Posts: 146
Registered: ‎05-12-2010
Re: Wireless Design - Is this Feasible

We currently use another vendor's product for onboarding. The product automatically connects the client to the 802.1X SSID, sets it as top priority and "forgets" the open one. For Apple users, tjhey need to manually connect after installing the network profile, though.

Bruce Osborne - Wireless Engineer
ACCP, ACMP
Search Airheads
Showing results for 
Search instead for 
Did you mean: