Security

Reply
Aruba
Posts: 1,642
Registered: ‎04-13-2009

Amigopod - Condition Expression Based upon Aruba-Essid-Name

I am working a deployment where the customer is running Amigopood 3.9.   Amigopod is joined to the domain and can authenticate users.    The customer wants to allow employees in AD to logon to both their 802.1X network as well as their Guest network.   Both currently work, however role assignment is not ideal at the moment.

 

The goal is to allow employees to use the Guest network, but be assigned a guest role within Aruba; while being assigned an employee role when on the corporate SSID.

 

My first question is whether the conditional role assignments should be done within the Active Directory definition (thus assigning an appropriate Amigopod Role that will present the Aruba VSA) or should a single static Amigopod Role be used to assign the appropriate Aruba-User-Role VSA based upon a conditional expression using the Aruba-Essid-Name attribute?

 

I've attempted various configurations, but just can't seem to get both to work.   I can get roles assigned using the Aruba-Essid-Name condition, however, I can't seem to get multiple to work.

 

The user guides have an example of doing this with Aruba-User-Vlan; which I've tried to replicate unsuccessfully.   Any thoughts or pointers are appreciated.

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Aruba
Posts: 113
Registered: ‎11-21-2011

Re: Amigopod - Condition Expression Based upon Aruba-Essid-Name

Paste a screenshot of your RADIUS Role definition and it might be possible to suggest some improvements on how to do it.

MVP
Posts: 1,407
Registered: ‎11-30-2011

Re: Amigopod - Condition Expression Based upon Aruba-Essid-Name

perhaps im missing something, but wouldnt creating two services that match on SSID solve this? one service for guest network and one for corperate network, with the roles you want.

Aruba
Posts: 1,642
Registered: ‎04-13-2009

Re: Amigopod - Condition Expression Based upon Aruba-Essid-Name

The initial issue was Amigopod, not ClearPass; thus no services.

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

MVP
Posts: 1,407
Registered: ‎11-30-2011

Re: Amigopod - Condition Expression Based upon Aruba-Essid-Name

like i said, i might be missing something, and i was, totally different product, sorry.

MVP
Posts: 505
Registered: ‎05-11-2011

Re: Amigopod - Condition Expression Based upon Aruba-Essid-Name

Hello
Are you still working on this issue? And is it more of a best practice question than getting it to work?
I mean - the captive portal profile should assign the guest role regardless of how the user was authenticated - unless you have changed the defaults.

What kind of authentication device do you have for the 802.1x? Is that also using Amigopod?

If you've worked it out - let us know what solution you ended up with.

Regards
John Solberg

-ACMX #316 :: ACCP-
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Search Airheads
Showing results for 
Search instead for 
Did you mean: