Wireless Access

Frequent Contributor I

Specify ACL for a lab and different one for other devices (802.1x PEAP)

I am trying to tighten up our ACLs a bit on campus.  Our users are a combination of BYOD (Mac/PC/Chromebook) and deployed chromebooks.  They authenticate using 802.1x PEAP MsCHAPv2.  But we have a PC lab that certain classes utilize.  I would like to have a different set of ACLs in place when users login to the lab (AD connectivity, etc.) and another when they use any other device (just the internet, DNS, dhcp).  Its clear that in NPS it only looks at a single criteria (user or computer group).


SO... Whats the best way to do this without ClearPass...

Aruba Employee

Re: Specify ACL for a lab and different one for other devices (802.1x PEAP)

you should be able to define a define roles for users connecting to the dot1x ssid, based on whether a client performed machine authentication or user authentication or both. Refer to the below image from the user-guide : 

machine user role assignment.PNG


Along with the above role assignment, you can use a server derived role Assignment or VSA, so that a particular group of users recieves a particular role. This needs configuration on the server end to push attributes to the  controller in the radius transactions.



Search Airheads
Showing results for 
Search instead for 
Did you mean: