Wireless Access

Hello,

We have an Aruba WLAN installation distributed over several campuses.

We run Aruba 7200 controller with around 400 APs and several thousand users.

Today we have 802.1X User Authentication to access the production WLAN, and users are accessing the WLAN with all sorts of private devices.

We would now like to limit access to the production WLAN to authorized devices (registered in Active Directory or similar) with the rest of the unautorized devices restricted to the guest WLAN.

Can anyone share any ideas how they have accomplished this and if there are any white papers or templates they could share. We are looking into implementing Aruba clearpass into our system.

Thank you in advance.

Regards Peter

If you have AD devices configured to machine authenticate, you can configure "Enforce Machine Authentication" on the Aruba Controller here:  http://community.arubanetworks.com/t5/Controller-Based-WLANs/How-does-machine-authentication-work-on-the-Aruba-controller/ta-p/183440

It is preferred to do machine authentication on an external radius server like ClearPass, because it is more flexible than the controller in this regard.

Colin,

Many thanks for your fast and very useful response.

Our AD devices are configured to machine authenticate.

I will look into setting up a radius server in Clear Pass, as per your suggestion.

Best regards Peter

Hello again,

If I may expand on this solution.

Is there away that authenticated users with devices not authenticated by AD being automatically placed into the guest WLAN? Grateful for any "How to Do"  links.

regards Peter 

This is where ClearPass has the advantage.  Please see the thread here:  http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Enforce-Machine-Authentication/td-p/58918/highlight/true/page/2

Long story short, if a device does not have the [machine authenticated] attribute in ClearPass, you can return the Aruba-User-Vlan that corresponds to a guest VLAN.