Security

This client got 3 SSIDS

 

Staff(WPA2 Enterprise EAP PEAP)

BYOD( which is student personal devices)

Guest

 

Right now they are authenticating students personal devices with clearpass guest on BYOD SSID

 

They would like to add teachers personal devices now.   I cannot add it to the BYOD studends becuase they need to be in a different VLAN....

And as far i know i cannot do derived vlan unless im doing l2 authentication and im doing L3 authentication.

 

Staff vlan 10

BYOD is on vlan 11

Guest is on vlan 12

 

They would like to add teachers personal devices on vlan 13

 

What woudl you recommend in this case which wont cost too much if its possible?  that maintain just 3 SSIDS.  The easiest one would be just adding a 4th SSID i guess and maybe authenticating those devices with clearpass guest also.  But we dont want to add another SSID. 

 

Cheers

Carlos

You can reuse the same staff SSID for BYOD
If you already know what are the school own devices for staff then everything else could be treated as BYOD and use a different user-role/VLAN (You could use the onboarding process)

If needed you can use an MDM solution if the customer has one to allow devices already registered or use an AD membership to allow certain folks to use BYOD devices.





Get Outlook for iOS

So i would just need to purchase onboard license for the teachers personal devices?

 

What modifications do i need to do to the captive portal of the studnets?

 

It depends of the customer is looking to do .

ClearPass onboarding allows the users to self provisioning / configure their BYOD devices to EAP-TLS (certificate based auth) and ClearPass acts as a Certificate Authority and pushes a unique certificate to each device.

Advantages to this method:
- more secure
- users won't locked their AD accounts typing the wrong password since the device will be using certificate based authentication
- IT admins can deny access by revoking the cert on the device

Ideally you want to do a dual SSID onboard process where you can place a link to the onboarding page in guest captive portal page and once the user the completes the process the device will be configured to use the 802.1x (EAP-TLS)



Get Outlook for iOS

So it is possible doing somethign liek this

 

Use the Captive portal im using alredy for students BYOD

 

In that captive portal i would have:

 

Sign in

User name:

Password

Below that iw oudl have 2 links

First link: New student??  This like would redirect to the normal Self service captive portal they already got

Second link: New teacher?? This link would send them to the clearpass onboarding process

 

 

For the Staff SSID

I would change this EAP PEAP To eap TLS 

 

When the teacher finish the onboaridng process it would connect him to the Staff SSID

 

Here i got a quetion

IF they do not want to buy onboard License for TEAchers devices AND school devices it is possible just to buy the onboard license for teachers devicews only right?

 

For the school owned devices guess they would need to manually put the certificate to the users i guess or its possible to use a microsoft CA(all the school devices are on the AD So i could send the certificates Via AD policy....

 

So in the end i dont know if i can use a CA for the teacher personal devices(that would be the Clearpass and a CA of microsoft for school devices. (in which i can send the Certificates via AD.

Both deveices Will be connecting to one SSID that would be STaff SSID.

 

Also i woudl need a rule that if its a teacher personal devices use vlan 11

and school devices to vlan 12 for example

 

Is all this possible?

Or there woudl be a better way?

 

I bealive that if he just have to buy the onboard license only for teachers owned devices that would be ok for the client.

 

Cheers

Carlos

Below that iw oudl have 2 links

First link: New student?? This like would redirect to the normal Self service captive portal they already got

Second link: New teacher?? This link would send them to the clearpass onboarding process

That's correct



For the Staff SSID

I would change this EAP PEAP To eap TLS

You can support both if you needed to



When the teacher finish the onboaridng process it would connect him to the Staff SSID



Here i got a quetion

IF they do not want to buy onboard License for TEAchers devices AND school devices it is possible just to buy the onboard license for teachers devicews only right?

Correct, you can use AD membership



For the school owned devices guess they would need to manually put the certificate to the users i guess or its possible to use a microsoft CA(all the school devices are on the AD So i could send the certificates Via AD policy....

So in the end i dont know if i can use a CA for the teacher personal devices(that would be the Clearpass and a CA of microsoft for school devices. (in which i can send the Certificates via AD.

Both deveices Will be connecting to one SSID that would be STaff SSID.

if those are Windows domain devices you can use the autocert enrollment(ADCS) or just use PEAP for school owned devices and only use TLS/Onboarding for BYOD



Also i woudl need a rule that if its a teacher personal devices use vlan 11

and school devices to vlan 12 for example



Is all this possible?

Or there woudl be a better way?

Yes , it is possible