Security

We have a ClearPass deployment where we have an internal VLAN with unlimited access to all RFC1918 addresses and a Guest VLAN which only provides access to the internet. 

What we want to do is:

- When a domain joined computer joins the "corp" SSID, the domain joined computer gets assigned the internal VLAN

- When a non-domain joined laptop, phone, tablet owned by an employee joins the "corp" SSID, they get assigned the Guest VLAN, or a different VLAN of our choice.

- People outside the organisation still connect to the Guest SSID and get the Guest VLAN - unchanged

We don't want to set up a complicated BYOD configuration, all we want to achieve is the above. What's the simplest most effective way to ensure that if an employee joins their device to the corp SSID that they get assigned a different VLAN? 

If they have a domain joined machine, we want ClearPass to recognise that it's joined to the domain and assign it the right VLAN. If the user tries to type in their domain\username and password credentials we want to make sure they can't get assigned the unrestricted VLAN. 

I am open to any other ideas as well as long as it helps achieve the goal stated.

One option is doing Machine Authentication, where CPPM will check if the machine is in the domain. In this case, CPPM'll tag this authentication with the ROLE "Machine Authenticated". You can use this role in the Enforcement Profile to assign the computer to internal VLAN. In this case, you have to enable machine authentication in the supplicants.

Other option is distribute certificates in coprporate computers and used them to authenticated corporate devices. You'll check this certificates in the authentication process and allow them to internal vlan.