Hi
We deliver a service with wireless network and authentication based on Aruba Instant and ClearPass to franchise companies.
ClearPass, Active Directory and common application servers are placed in a central network.
Franchise devices need to have different roles on depending on the usage in the local store.
Device type "A" should only be able to access internet and printers at the local LAN.
Device type "B" should have access to all resources on the on local LAN and also in the shared services network.
Only devices of these two types should be allowed to connect. Unclassified devices should be rejected.
Devices authenticates with username and password. Depending on the device type access rights should differ. Devices are not member of AD and devices can be IOS, Android etc
Defining roles with different firewall rules in IAP with ClearPass is easy.
My question is:
What would be the most convenient way of letting the local device administrator at each store to assign a device as type "A" or "B"?
I don't want to give these persons access to edit attributes in the Endpoints table. Because it's not possible to only filter out "his" devices.
OnBoard with different profiles would solve this, but the cost for OnBoard is to high for this customer...
Any ideas how to solve this is appreciated
Thanks
Jonas