Wireless Access

Reply
New Contributor

User Clearpass based self-registration with MAC exclusions and AD authentication

I wanted to know if the following is doable:

 

1. Formation of an onboarding SSID

   - Used solely for device self-registration

   - Authentication against external AD IDP

   - Allows for the end-user self-support addition of devices allowed based on MAC addresses

   - Sends text confirmation of account creation and WPA2 SSID and PSK information 

   - MAC addresses rules mapped to AD-User entry in Clearpass with airgrouping

 

2.  Formation of an IoT SSID using WPA2 PSK with MAC filtering based on the information collected in step 1

 

3. API or other ability for a push event to disable IoT access due account deletion, disability, or other loss of AD access.  A period check by Clearpass of AD Account status would also work.

 

I know this is a lot of issues to solve, but I need to grant secure network access to AD user devices that do not support 802.1x (think game consoles and video streaming devices), with an ability for access to be removed due to change in AD access.  THis would need to scale into the 10's of thousands of devices, so must have per user self-support ability without the need for Clearpass and/or WLC support to allow user devices access.

Guru Elite

Re: User Clearpass based self-registration with MAC exclusions and AD authentication

Yes, this is possible, but having a dedicated SSID is not really necessary.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
New Contributor

Re: User Clearpass based self-registration with MAC exclusions and AD authentication

THe idea for the separate SSID is the allow access to a new user before WPA2PSK creds are known.  Question is, how do you do self-support in Clearpass based on AD auth, to include "Adding devices?"  I have not been able to make this work.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: