We have a ClearPass deployment where we have an internal VLAN with unlimited access to all RFC1918 addresses and a Guest VLAN which only provides access to the internet.
What we want to do is:
- When a domain joined computer joins the "corp" SSID, the domain joined computer gets assigned the internal VLAN
- When a non-domain joined laptop, phone, tablet owned by an employee joins the "corp" SSID, they get assigned the Guest VLAN, or a different VLAN of our choice.
- People outside the organisation still connect to the Guest SSID and get the Guest VLAN - unchanged
We don't want to set up a complicated BYOD configuration, all we want to achieve is the above. What's the simplest most effective way to ensure that if an employee joins their device to the corp SSID that they get assigned a different VLAN?