07-31-2013 12:14 PM
I got a requirement of a company which he wants the fallowing
If the computer is on the Active directory he has a role which can access everything
if the user has a tablet with android or a smartphone with his user and password of AD he just got internet
I know how to do this but my issue is the fallowing i know how to do it by doing it by operating system...
If it android IOS well just the role of just internet
If its windows then allow it to the internal network
But then if it comes with awindows 8 tablet or windows 7 tablet a personal one then he will have access
How can i do that just the laptops that are on active directory are the ones that can have access to the internal network...
and if they client brings a computer a personal one that is a windows 7 he does not have access maybe just access to intenret...
I tihink it can be done but what paramethers i should use on the service so it can be done correctly
Product Manager - Aruba Networks
07-31-2013 12:33 PM
You can definetily do this .
We are currently doing something similar where we match an AD group in combination with the device type and place it in a Role/VLAN on the controller and we are still using the same SSID/Clearpass service
You can use a combination of this :
With this :
And you can create a role mapping matching the win 7 devices or win 8 and you can place this in different roles in the controller
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
07-31-2013 07:02 PM - edited 07-31-2013 07:10 PM
On top of the AOS device type, you can also reference the ClearPass endpoint profiling dataL
You could also do machine authentication which can authenticate the computer against AD instead of or along with the user.
Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
08-20-2013 07:26 PM
If you are talking only Domain Computers having full access, then you can use the [Machine Authenticated] attribute. Since personal devices are most likely not going to be joined to the domain, that would eliminate them as [Machine Authenticated] right off the bat without any worry about ensuring that the device has been profiled.
Jeremy R. Wirtz
WLAN Systems Engineer