Security

Reply
Occasional Contributor II
Posts: 31
Registered: ‎03-11-2014

Open Guest SSID with Captive Portal

Our guest network is currently configured as an open SSID with a captive portal.  If a user is within range, they device tries to connect to the SSID.  So in Clearpass Access Tracker, it shows several guest devices showing repeat rejections every few seconds and they continue until they open the captive portal and authenticate.  The reason this setup was created initially was for ease of management.  We have two different guest SSIDs hitting a single service in Clearpass.  If you're an employee, you can login with your AD creds.  If you're a guest, we have a temp guest login that expires after 24 hours and we change the password for monthly within Clearpass.

 

I am wondering if there's a better way to lock down the guest account to keep the several transactions from generating within Access Tracker and creating an unneccessary load on the server without adding the extra management.

Guru Elite
Posts: 8,171
Registered: ‎09-08-2010

Re: Open Guest SSID with Captive Portal

If you are doing captive portal auth with MAC-caching, there is no way to avoid the initial rejects for unknown users. 


Thanks, 
Tim

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Occasional Contributor II
Posts: 31
Registered: ‎03-11-2014

Re: Open Guest SSID with Captive Portal

The initial rejects I understand.  I am more focused on the repeat rejects.  Each device keeps retrying every few seconds.  If it tries once and stops, then I would be pleased.

Guru Elite
Posts: 8,171
Registered: ‎09-08-2010

Re: Open Guest SSID with Captive Portal

Does the device get the captive portal immediately after associating? 


Thanks, 
Tim

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Occasional Contributor II
Posts: 31
Registered: ‎03-11-2014

Re: Open Guest SSID with Captive Portal

As soon as they manually open a browser.  Some users don't actually connect to the SSID, they just have their devices within the range such as their smartphone or tablet.  They may not be using it, but it's still trying to authenticate to the open SSID.

Search Airheads
Showing results for 
Search instead for 
Did you mean: