02-25-2016 12:25 PM
I'm trying to simplify wireless access for "smart" (actually dumb) devices getting onto our wireless. I'm planning on having an open SSID with a captive portal for guests to self-register for access, and I'd like to use that same SSID for these devices. I would want to have them simply connect to the SSID, get profiled by ClearPass, and have it either grant access or prompt the user to register based on device type (Smart TVs, Apple TVs, Game Consoles, etc.). I've tried testing this but haven't had any success as I always get the captive portal. I know that you can have users register their devices, and I'll use that as a last resort, but I'd really like them to not have to think about it. Is this posssible? TIA!
02-25-2016 01:10 PM - edited 02-25-2016 01:13 PM
This is what I have in the role mapping & enforcement policies now. I first tried it with the Device Type equals Apple iPhone in the enforcement policy and haven't had any luck in either.
02-25-2016 01:23 PM
Device Name or OS Family. Also, be sure you have the endpoints repository as
an authorization source.
I'd recommend tagging the device type in the role map instead of a direct
Authorization:[Endpoint Repository] Device Name
EQUALS Apple iPhone
Role = DEVICE_IPHONE
Tips:Role EQUALS DEVICE_IPHONE
AND Tips:Role EQUALS USER_FACULTY
Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
02-26-2016 12:20 PM
Thank you Tim! Your guidance led me in the right direction. I had to add the endpoints repository to the authentication source AND use the [Allow All MAC AUTH] authentication method. I tested with my phone and a PC laptop and it's working as I want. Now I just need to add in all of my device types and bring some in to test with. Thanks again!
04-13-2016 01:20 PM
Just wanted to update this as I still don't have things working as I want. By changing the Authentication method to "Allow All Mac Auth", it was just accepting ALL devices, so nobody was getting dumped into the captive portal. I can really only get it working one way, or the other, but not with both. And it also seems to take two authentication attempts for my device to get the role I want.