Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Amigopod - Condition Expression Based upon Aruba-Essid-Name

This thread has been viewed 0 times

  • 1.  Amigopod - Condition Expression Based upon Aruba-Essid-Name

    Posted Feb 13, 2013 08:34 AM

    I am working a deployment where the customer is running Amigopood 3.9.   Amigopod is joined to the domain and can authenticate users.    The customer wants to allow employees in AD to logon to both their 802.1X network as well as their Guest network.   Both currently work, however role assignment is not ideal at the moment.

     

    The goal is to allow employees to use the Guest network, but be assigned a guest role within Aruba; while being assigned an employee role when on the corporate SSID.

     

    My first question is whether the conditional role assignments should be done within the Active Directory definition (thus assigning an appropriate Amigopod Role that will present the Aruba VSA) or should a single static Amigopod Role be used to assign the appropriate Aruba-User-Role VSA based upon a conditional expression using the Aruba-Essid-Name attribute?

     

    I've attempted various configurations, but just can't seem to get both to work.   I can get roles assigned using the Aruba-Essid-Name condition, however, I can't seem to get multiple to work.

     

    The user guides have an example of doing this with Aruba-User-Vlan; which I've tried to replicate unsuccessfully.   Any thoughts or pointers are appreciated.



  • 2.  RE: Amigopod - Condition Expression Based upon Aruba-Essid-Name

    Posted Feb 13, 2013 04:22 PM

    Paste a screenshot of your RADIUS Role definition and it might be possible to suggest some improvements on how to do it.



  • 3.  RE: Amigopod - Condition Expression Based upon Aruba-Essid-Name

    Posted Mar 02, 2013 02:50 PM

    perhaps im missing something, but wouldnt creating two services that match on SSID solve this? one service for guest network and one for corperate network, with the roles you want.



  • 4.  RE: Amigopod - Condition Expression Based upon Aruba-Essid-Name

    Posted Mar 03, 2013 09:01 PM

    The initial issue was Amigopod, not ClearPass; thus no services.



  • 5.  RE: Amigopod - Condition Expression Based upon Aruba-Essid-Name

    Posted Mar 05, 2013 03:30 PM

    like i said, i might be missing something, and i was, totally different product, sorry.



  • 6.  RE: Amigopod - Condition Expression Based upon Aruba-Essid-Name

    Posted Mar 06, 2013 09:37 AM
    Hello
    Are you still working on this issue? And is it more of a best practice question than getting it to work?
    I mean - the captive portal profile should assign the guest role regardless of how the user was authenticated - unless you have changed the defaults.

    What kind of authentication device do you have for the 802.1x? Is that also using Amigopod?

    If you've worked it out - let us know what solution you ended up with.