11-27-2014 01:31 PM
I am administrating a k12 wireless environment, with aruba 7240 controllers and clearpass.
Our students have both domain joined computers, authenticating to the wireless network with EAP-TLS user certificates, and BYOD devices authenticating with EAP-TLS onboard certificate or captive portal.
Today we are using a proxy server to block students network access when students have exams, but for different reasons, we now want to use aruba to do this instead.
The students teacher have a web-interface, where they can put the correct students in a AD group, and then the network access shall be blocked.
I have done some research, and think we will have to do something like this to achieve this with aruba controller/clearpass:
1. Get all mac-addresses that belong to a specific user (that the teacher has enabled blocking on) from the clearpass endpoint database
2. Send these mac-addresses to clearpass, and make clearpass change the role of this particular user to something like "block-network-role"
3. Send these mac-addresses to the controller, and make it run a change of authorization to these clients, so that they have to re-authenticate, and get the new role.
Has anyone done something similar? Is there a easier way to do it?
I do not now how to achieve this, any lead would be great!
11-27-2014 01:35 PM
For example, you can say if AD issued the cert and the group is student, do A vs certificate is issued from ClearPass and group is student do B.