Wireless Access

Reply
PM
Contributor I

Limit Access to Production WLAN to devices registered in AD.

Hello,

 

We have an Aruba WLAN installation distributed over several campuses.

We run Aruba 7200 controller with around 400 APs and several thousand users.

 

Today we have 802.1X User Authentication to access the production WLAN, and users are accessing the WLAN with all sorts of private devices.

We would now like to limit access to the production WLAN to authorized devices (registered in Active Directory or similar) with the rest of the unautorized devices restricted to the guest WLAN.

 

Can anyone share any ideas how they have accomplished this and if there are any white papers or templates they could share. We are looking into implementing Aruba clearpass into our system.

 

Thank you in advance.

 

Regards Peter

Guru Elite

Re: Limit Access to Production WLAN to devices registered in AD.

If you have AD devices configured to machine authenticate, you can configure "Enforce Machine Authentication" on the Aruba Controller here:  http://community.arubanetworks.com/t5/Controller-Based-WLANs/How-does-machine-authentication-work-on-the-Aruba-controller/ta-p/183440

 

It is preferred to do machine authentication on an external radius server like ClearPass, because it is more flexible than the controller in this regard.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

PM
Contributor I

Re: Limit Access to Production WLAN to devices registered in AD.

Colin,

 

Many thanks for your fast and very useful response.

Our AD devices are configured to machine authenticate.

 

I will look into setting up a radius server in Clear Pass, as per your suggestion.

 

Best regards Peter

PM
Contributor I

Re: Limit Access to Production WLAN to devices registered in AD.

Hello again,

 

If I may expand on this solution.

Is there away that authenticated users with devices not authenticated by AD being automatically placed into the guest WLAN? Grateful for any "How to Do"  links.

 

regards Peter 

Guru Elite

Re: Limit Access to Production WLAN to devices registered in AD.

This is where ClearPass has the advantage.  Please see the thread here:  http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Enforce-Machine-Authentication/td-p/58918/highlight/true/page/2

 

Long story short, if a device does not have the [machine authenticated] attribute in ClearPass, you can return the Aruba-User-Vlan that corresponds to a guest VLAN.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: