Security

Reply
MVP
Posts: 1,110
Registered: ‎10-11-2011

Block devices on one SSID if previously logged into another

Scenario:

Corporate (802.1X) and Guest (open w/clearpass captive portal) SSIDs are broadcasted.  Corporate devices may connect to the corporate SSID, but not the guest SSID.  The guest SSID captive portal only requires guests to 'accept terms' in order to gain Internet access; no username/password or identifiable information is requested.

 

How do you keep Corporate devices from gaining Internet access on the guest SSID?  My current thought is a post authentication update that tags endpoints with an attribute of 'corporate' after logging into the corporate SSID.  The guest's captive portal would check for this attribute when authentications occur.  If the attribute exists, access is denied.

 

I feel like this would work just fine, but am curious to know if anyone has some other ideas.  Can Clearpass verify if a device has logged into the Corporate SSID before?

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Aruba
Posts: 1,540
Registered: ‎06-12-2012

Re: Block devices on one SSID if previously logged into another

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Guide-Using-ClearPass-to-steer-users-to-secure-networks-mhc/m-p/144823
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Guru Elite
Posts: 8,320
Registered: ‎09-08-2010

Re: Block devices on one SSID if previously logged into another

Yes, simply add an attribute to the endpoint database when they authenticate
to corporate, and then check for it as rule #1 on the guest service.



See this doc I wrote a couple of years ago:

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Guide-Using-
ClearPass-to-steer-users-to-secure-networks-mhc/td-p/144823

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Guru Elite
Posts: 20,761
Registered: ‎03-29-2007

Re: Block devices on one SSID if previously logged into another

Or..  push the Guest SSID to that client with WEP encryption via a GPO.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 1,110
Registered: ‎10-11-2011

Re: Block devices on one SSID if previously logged into another

Perfect! Thanks guys. Put of curiosity, why do you suggest posting the
redirect page on a server rather than a weblogin page in Clearpass? This
won't be an issue for me, I'm just curious.

Colin, that was the initial plan but I'm concerned about the 1% chance some
hotel is using the same guest SSID. I like the idea of the redirect page
too in the instructions above as it will inform the user they shouldn't be
on guest. This should reduce calls to the help desk.
=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Guru Elite
Posts: 8,320
Registered: ‎09-08-2010

Re: Block devices on one SSID if previously logged into another

Well, I wrote this when I was at a university and we had thousands of users
hitting the page all the time. Since auth was never going to be performed on
that page and ClearPass wasn't needed, I just wanted to take any extra load
off the ClearPass web server.



I would also recommend making the page HTTP instead of HTTPs. It will reduce
load on ClearPass and the controller and also users won't get certificat
errors on redirect.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP
Posts: 1,110
Registered: ‎10-11-2011

Re: Block devices on one SSID if previously logged into another

Very good. Thanks Tim.
=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Search Airheads
Showing results for 
Search instead for 
Did you mean: