Security

Reply
Occasional Contributor I

Restricting captive portal to 802.1x devices

Setup :Two SSID's, one is 802.1x for corp devices and another is Captive Portal for guest.

 

Requirement : 802.1x connected devices should not get captive portal if they try to connect guest network.

 

Tried solution where Endpoint attributes are created and applied rules to restrict/deny connection but, a guest account is getting created before denying access in guest database. This guest account should not be created even though access is getting denied. Is there any way to restrict captive portal?

MVP

Re: Restricting captive portal to 802.1x devices

This is very easy to accomplish.

 

When on 802.1x - you need to update the endpoint with a new attribute type "isCorpDevice" = true.

 

For Guest auth you have to use endpoint database as authorization source, and add a test for "isCorpDevice" = true, then trigger a profile that denies access or whatever you want done.


Regards
John Solberg

-ACMX #316 :: ACCX #902 :: ACSA
Aruba Partner Ambassador
Intelecom/NetNordic - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Occasional Contributor I

Re: Restricting captive portal to 802.1x devices

thanks john for reply

 

The suggestion works. we were able to restrict access but every time corp device try to register as guest, a new guest account is getting created. The netwok restriction happens after guet registration. So we wan't to restrict registraton page.

 

any solution?

MVP

Re: Restricting captive portal to 802.1x devices

Your goal is to avoid that corpdevices land on Clearpass Captive Portal right?

Guest networks usually have mac-auth. It is here you need to return a different role instead of just deny access. Deny access means your device gets the default guest-logon role.

So - create a new role on the controller that doesnt have Captive Portal, create a cp policy for it and return this one in your macauth service for corpdevices.

Would that work?

Regards
John Solberg

-ACMX #316 :: ACCX #902 :: ACSA
Aruba Partner Ambassador
Intelecom/NetNordic - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Occasional Contributor I

Re: Restricting captive portal to 802.1x devices

This is the exact solution we required. Thanks john

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: