07-22-2013 04:33 AM
We want to accomplish following by Clear Pass:-
users comming from employee SSID need to get different VLANS on the bases of conditions
Purpose is to give allow all contents (fb,youtube etc;) for VIP users while others will get blocked access. We have done it with different SSIDs but we want to do it in one SSID. We will use Cisco ACS and ClearPass to get it done.
Any suggestions, please...
Thanks & Regards
07-22-2013 05:27 AM
You would build multiple enforcement profiles that return the Aruba User VLAN VSA. You could also return a user-role that has a VLAN assigned to it in the controller.
Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
07-23-2013 05:08 AM
Thanks for the reply. But it is still not clear to me. A user joins SSID "abc" using his active directory user ID, I want Clear Pass to give him role/vlan based on his user ID (staff and exective having different vlans). CPPM can not differentiate users because users are in AD. There should be some sort of mechanism so that RADIUS server can differnciate users and return some string or value which could be used by CPPM to be used in enforcement Policy.
07-23-2013 06:11 AM - edited 07-24-2013 08:50 AM
You can do the following :
You need to make sure CCPM it's already part of the domain and it's able to read attributes from AD , if this is already setup just follow these steps
Create a Role Mapping
Then add the rules that will match in AD
Create a role
Create an enforcement profile
Add the attributes that you want to match VLAN and USER-ROLE created in the controller
Create a enforcement policy and add the enforcement profile already created
Add the rules to the enforcement policy to match the Role you created under CCPM (AD Test Group)
And Finally add this role to the Service
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA