Security

Setup :Two SSID's, one is 802.1x for corp devices and another is Captive Portal for guest.

 

Requirement : 802.1x connected devices should not get captive portal if they try to connect guest network.

 

Tried solution where Endpoint attributes are created and applied rules to restrict/deny connection but, a guest account is getting created before denying access in guest database. This guest account should not be created even though access is getting denied. Is there any way to restrict captive portal?

This is very easy to accomplish.

 

When on 802.1x - you need to update the endpoint with a new attribute type "isCorpDevice" = true.

 

For Guest auth you have to use endpoint database as authorization source, and add a test for "isCorpDevice" = true, then trigger a profile that denies access or whatever you want done.

thanks john for reply

 

The suggestion works. we were able to restrict access but every time corp device try to register as guest, a new guest account is getting created. The netwok restriction happens after guet registration. So we wan't to restrict registraton page.

 

any solution?

Your goal is to avoid that corpdevices land on Clearpass Captive Portal right?

Guest networks usually have mac-auth. It is here you need to return a different role instead of just deny access. Deny access means your device gets the default guest-logon role.

So - create a new role on the controller that doesnt have Captive Portal, create a cp policy for it and return this one in your macauth service for corpdevices.

Would that work?

This is the exact solution we required. Thanks john