11-10-2016 08:43 AM
I'm working on booting employees from my guest network so that they connect to the 802.1x network.
The guest network is open with self registration.
My plan was to use a SHL in CPPM and assign a different role that would send them to a captive portal with a nice message. It worked...half way. During the initial MAC Auth, CPPM would send back a RADIUS REJECT and a Aruba-User-Role that I wanted, but the controller keeps putting the client into the initial group. I also tried a CoA enforcement profile, but that didn't seem to help.
The more I think about it, there isn't a way to do what I want in this way right? Because the client isn't authenticated yet, it is ALWAYS going to get the initial role from the AAA profile. Is there a way to force this, or am I going about it wrong?
(Note: I did find that if I created a guest device account and assigned the 'banned-guest-role' it does work as desired, I just figured a SHL would be easier to manage)
Solved! Go to Solution.
11-10-2016 08:49 AM
11-10-2016 11:22 AM
I ended up creating a new service that will only match on SHL (Probably redundant) and in that service I created a new new MAC Authentication that allows unknown end-hosts (so now they get RADIUS accept instead of reject). From there the authorization and enforcement sends them to the Banned Guest role and thus to the captive portal.