Security

Dears,

We want to accomplish following by Clear Pass:-

users comming from employee SSID need to get different VLANS on the bases of conditions

Purpose is to give allow all contents (fb,youtube etc;) for VIP users while others will get blocked access. We have done it with different SSIDs but we want to do it in one SSID. We will use Cisco ACS and ClearPass to get it done.

Any suggestions, please...

Thanks & Regards

You would build multiple enforcement profiles that return the Aruba User VLAN VSA. You could also return a user-role that has a VLAN assigned to it in the controller.

Thanks for the reply. But it is still not clear to me. A user joins SSID "abc"  using his active directory user ID, I want Clear Pass to give him role/vlan based on his user ID (staff and exective having different vlans). CPPM can not differentiate users because users are in AD. There should be some sort of mechanism so that RADIUS server can differnciate users and return some string or value which could be used by CPPM to be used in enforcement Policy.

You can do the following :

You need to make sure CCPM it's already part of the domain and it's able to read attributes from AD , if this is already setup just follow these steps

 Create a Role Mapping 

Then add the rules that will match in AD 

Create a role 

Create an enforcement profile 

Add the attributes that you want to match VLAN and USER-ROLE created in the controller

Create a enforcement policy and add the enforcement profile already created

Add the rules to the enforcement policy to match the Role you created under CCPM (AD Test Group)

And Finally add this role to the Service