Wireless Access

Hi all ,

Is it possible to have two seperate wired profiles in guest DMZ controller?

We are terminating both employees and guest traffic in DMZ controller and authentication is basedon LDAP for employees and internal for guest users.

We have configured a captive portal profile where we have given both LDAP and internal servers for authentication . If an employee connects to th guest SSID using his LDAP credentials he is getting authenticate ad vice versa. hence is is possible to prevent this by creating multiple user roles in wired AAA profile?

Hi,

Is your requirement to stop employees to connect to the Guest SSID or to control the access after connecting to the Guest SSID.

If the second one is your requirement, we have to work with different post auth roles ( role after authentication) .

Please elaborate the requirement little bit so that I can understand and help you on this.

Hi Venu ,

Sorry for the late reply . In our wireless setup we are allwing only internet access for employees and guests. We are tunneling this traffic to guest controller in DMZ segment.

We are authenticating employees using LDAP and guests by internal database. Hence we have created a wired AAA profile and we associated with captive portal . In that captive portal we have given LDAP and internal DB server group.

Hence now clients are able to connect to any of the two SSID (employee and guest) using their credentials . say guest is able to connect to employee ssid and employee alos able to connect to guest ssid. Is there any way to limit this ? hence is it possible to put multiple AAA wired profiles based on SSID?

why are wired AAA profile? why not attach a captive portal profile based on role? and use different roles for guest and corp?

We are not having SSID profile in guest controller. We are terminating the traffic from MAster to DMZ controller. In this case , can user roles are able to differentiate the users based on SSID at DMZ controller side?

nope, you are right.all traffic will look similar to the DMZ controller and have the same role.

would it be possible to just have two VLANs on the DMZ controller with their own wired AAA profile?

Thanks a lot for the reply . 

I am not able to create AAA profiles , based on vlan . Just i am able to apply one global AAA profile to wired access.

Hi I'm looking to do something very similar (identical) in configuration but for very different reasons.  I would like to send both guest user types down the same L2 GRE from our internal controllers to a single external/DMZ controller.  That part is not the issue, however when that traffic is dropped on the external/DMZ controller there are no differentiators that I can see with respect to the users in that tunnel.  I then want to be able to distinguish each guest type so that I can send Guest 1 to Clearpass captival portal 1 and guest 2 to Clearpass captive portal 2 (on the same CPPM server).  

Guests 1 and 2 have completely different auth requirements (local db for 1 and AD for 2).

Thanks in advance