Security

Reply
Contributor I
Posts: 43
Registered: ‎02-01-2013

Self-service guest question

Hi,

 

We are looking to implement two networks using Clearpass

 

1.  Network for guests, which they access using the Self-Service capabilties of Clearpass

2.  Network for employees, who will on-board their device and connect via EAP-TLS.

 

 

Question is, is there a way to stop my corporate users accessing the self-service guest network ?

Aruba
Posts: 1,540
Registered: ‎06-12-2012

Re: Self-service guest question

You can but you will either have register the device on the corporate ssid first or use a static host list to check against to see if its a known device.
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Guru Elite
Posts: 8,322
Registered: ‎09-08-2010

Re: Self-service guest question

You could try a role map that checks the Onboard status and returns the Deny role if the device is managed:

 

onboard-yes.PNG


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I
Posts: 43
Registered: ‎02-01-2013

Re: Self-service guest question

Ok, so once the device is enrolled, I can have that database checked each time someone tries to access the Self-Service guest network, and if that device has been enrolled, they won't be allowed to connect ?

 

 

If the above is true, can we return them a web-page to tell them to connect to the corporate SSID ?

Guru Elite
Posts: 8,322
Registered: ‎09-08-2010

Re: Self-service guest question

Yes, but instead of a deny, create an enforcement profile that returns a
captive portal role to the controller.



Sent from my BlackBerry Z10

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I
Posts: 43
Registered: ‎02-01-2013

Re: Self-service guest question

So by returning that role, would the new page automatically appear on the users device ?

Guru Elite
Posts: 8,322
Registered: ‎09-08-2010

Re: Self-service guest question

The enforcement policy would trigger a change of authorization that would
boot the and bring them into the new role. When the user tries to access a
website, they would be redirected to a captive portal.

We do this with students who violate DMCA or AUP.

Sent from my BlackBerry Z10

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
Showing results for 
Search instead for 
Did you mean: