Security

Reply
MVP
Posts: 286
Registered: ‎11-04-2008

Headless Authenticaion in CPPM 6.3 Guest

Hello,

I am using CPPM 6.3.1 and want to create authentication for a printer, or any headless devices. 

First I create the device in Guest:

1.png

 

In CPPM Authentication Sources only [Guest Device Repository] and [Guest User Repository] are used. 

Assign role TIPS-HEADLESS if SponsorName EXIST  

2.png

 

Enforcement to return the HEADLESS role to controller

3.png

 

PROBLEM: the printer has never hit TIPS-HEADLESS role

4.png

Thanks.

 

 

 

~Trinh Nguyen~
Boys Town
Guru Elite
Posts: 8,003
Registered: ‎09-08-2010

Re: Headless Authenticaion in CPPM 6.3 Guest

You need to do the guest device repository on a RADIUS MAC authentication
service. Do you have a MAC check service?

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
MVP
Posts: 286
Registered: ‎11-04-2008

Re: Headless Authenticaion in CPPM 6.3 Guest

[ Edited ]

Tim,

Thanks for quick reply. Yes that is my problem. MAC AUTH added, and it works!!!!

Capture.PNG

 

~Trinh Nguyen~
Boys Town
Guru Elite
Posts: 8,003
Registered: ‎09-08-2010

Re: Headless Authenticaion in CPPM 6.3 Guest

You should really separate out your MAC auth and web auth into separate
services.

You can use the service template "guest access with MAC caching" to do
this.

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
MVP
Posts: 286
Registered: ‎11-04-2008

Re: Headless Authenticaion in CPPM 6.3 Guest

Tim,

I am very approciated you advice.  If you don’t mind, I’d like to follow up with a question: I am using guest to connect and authorize wireless printer.  Can I move printer to different VLAN after it was authenticated? 

 

Best Regards,

 

~Trinh Nguyen~
Boys Town
Guru Elite
Posts: 8,003
Registered: ‎09-08-2010

Re: Headless Authenticaion in CPPM 6.3 Guest

With a MAC auth, yes.

 

There are two ways of doing this:

 

1) Create a printer user-role on the controller and attach a VLAN to it.

2) Return a VLAN ID or VLAN name with an enforcement profile in your enforcement policy.

 

 


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
MVP
Posts: 286
Registered: ‎11-04-2008

Re: Headless Authenticaion in CPPM 6.3 Guest

[ Edited ]

Score again.  Thanks Tim.

 

I use #2, return VLAN ID from CPPM.  First an atribute "Aruba-User-Vlan" must be added to server group at the controller, then add VLAN ID to Enforcement profile.  Works like a champ!!!

vlan.PNG

 

~Trinh Nguyen~
Boys Town
Search Airheads
Showing results for 
Search instead for 
Did you mean: