Security

Hi,

 

We are looking to implement two networks using Clearpass

 

1.  Network for guests, which they access using the Self-Service capabilties of Clearpass

2.  Network for employees, who will on-board their device and connect via EAP-TLS.

 

 

Question is, is there a way to stop my corporate users accessing the self-service guest network ?

You can but you will either have register the device on the corporate ssid first or use a static host list to check against to see if its a known device.

You could try a role map that checks the Onboard status and returns the Deny role if the device is managed:

 

Ok, so once the device is enrolled, I can have that database checked each time someone tries to access the Self-Service guest network, and if that device has been enrolled, they won't be allowed to connect ?

 

 

If the above is true, can we return them a web-page to tell them to connect to the corporate SSID ?

Yes, but instead of a deny, create an enforcement profile that returns a
captive portal role to the controller.



Sent from my BlackBerry Z10

So by returning that role, would the new page automatically appear on the users device ?

The enforcement policy would trigger a change of authorization that would
boot the and bring them into the new role. When the user tries to access a
website, they would be redirected to a captive portal.

We do this with students who violate DMCA or AUP.

Sent from my BlackBerry Z10