07-08-2013 06:29 AM
Hi all. Is it possible to make user can authenticate in one SSID and deny to authorize him in other SSID?
I have aruba clearpass with 2 login portals for different SSIDs. So, if I create guest user in clearpass database - he can authorize in both SSIDs. How can I separate users by SSID in clearpass?
07-08-2013 11:22 AM
Use the Aruba VSA (Vendor Specific Attribute) Aruba-ESSID-Name in your ClearPass Service Definition to uniquely qualify the inbound RADIUS request to a service.
In the example below we match that the ESSID must match "CSC-Clearpass", but you can also use the CONTAINS or BEGINS_WITH operators if you have a naming construct that makes it easy to match (or use REGEX).
07-08-2013 11:23 AM
Additionally realize that in 6.x Clearpass, the user is in the Guest Repository, You can use the Guest Repository for one service (under the Authentication Sources for that service) and other Authentication sources for other Services (like A/D via LDAP for your corporate/non-guest network).
07-09-2013 03:56 AM
Thanks, but it's not working. Attribute Aruba-essid-name should be attached to the user (not to the service). When somebody connect to the network aruba controller send attribute to the radius server with ssid name which user connected. I mean if user1 connect to the network SSID1 - controller will send Aruba-essid-name=SSID1, if the same user will connect to the SSID2 - controller will send Aruba-essid-name=SSID2. But user1 will authorize in both networks cause ClearPass have shared user database.
Is it possibe to separate guest users by SSID attribute in this database? I.e. if guest user USER1 have attribute SSID1 - he will authorize in SSID1 only and not in SSID2. Or can I create different databases in ClearPass for user authentication and authorization?
07-09-2013 04:32 AM
You can probably create two services each matching SSID1 and SSID2 and let's say you want to use Endpoint repository database you could state that if the device is KNOWN then to deny access for the particular SSID that you don't want the user to use.
This one of the ways to could accomplish that
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
07-10-2013 06:19 AM
Add additional object in the Guest Operator Page.
Visitor Password: ************
Session Limit: 60
Drop down box ex. Like Floor : F1
When you create a User account. choose the respective floors to be assign
In the CPPM you will create a Wirelss Service and add Service Type: "Radius:IETF of AP GROUP : 1 "( pertaining to ap located at Floor 1)
in the ROLE
GuestUser [Role ID] EQUALS 1
and GuesUser Location EQUALS F1 GUEST ACCESS
Tips Role Equals GUEST ACCESS Allow Access
This is what we did on the lab and working. i cant picture out the exac configuration but this is what we did.
07-10-2013 07:37 AM
you can also used service type base on SSID posted by billcarjr and used the role and enforcement policy i posted. My solution is base on same SSID but AP is in different location.
08-09-2013 08:29 AM
You could also use roles in the Local User or Guest Repository to assign internal CPPM roles such as Guest-SSID1, Guest-SSID2 and/or Guest-BothSSIDs.
Then in the enforcement profile allow access for the Tips:Role=(some role) that matches the ESSID(s) and deny access for the others...