Search the Community
- ClearPass Recipe Review
- ClearPass Recipe Submission
- Admin Tool - Assign Role in Bulk
- Admin Tool - User Search
- CWNP Conf 2015
- Airheads Conference Vegas 2015
- Wlan Pro Conference 2015
- Airheads Conference Shanghai 2014
- WLAN Pro Conf EU 2014
- CWNP Conference 2014 (Sep 22 - 24)
- Airheads Local 2014
- Wireless Field Day 7 (Aug 6-8, 2014)
- Black Hat 2014 Contest
- Airheads EMEA Italy 2014 (June 9 - 13)
- Americas Airheads Conference 2014
- WLAN Professionals Summit 2014
- Airheads Roadshow 2013
- EMEA Airheads Conference 2013
- APJ Airheads Conference 2013
- Americas Airheads Conference 2013
- Americas Airheads Conference 2012
- APJ Airheads Conference 2012
- EMEA Airheads Conference 2012
- Airheads EMEA 2012 Contest: How to Enter - Contest Terms & Conditions
- Airheads EMEA 2012 Contest: Create your Entry to Win Here!
- Airheads Conferences Prior to 2012
- Americas Airheads Local Events 2012
- EMEA Airheads Local Events 2012
- Wireless Field Day 3 @ Aruba Networks
- Wireless Tech Field Day 2- Silicon Valley
- Wi-Fi Mobility Symposium- San Jose, CA USA
- SDN Apps
Couple of comments here. Azure Active Directory Domain Services is NOT designed for what...
Couple of comments here.
Azure Active Directory Domain Services is NOT designed for what you're trying to do. It is designed to extend LEGACY authentication support to other services that live in Azure (eg. servers and applications).
The legacy EAP method, PEAP, is effictively dead when you move to a cloud identity provider as it requires credentials stored in a legacy format. We released a document last month that covers this. You can use SAML or OAuth 2.0 against Azure Active Directory to authenticate users prior to Onboard certificate issuance.
What do you have define under the Layer 2 Auth Profile > Your 802.1X Profile > Machine: Defau...
What do you have define under the Layer 2 Auth Profile > Your 802.1X Profile > Machine: Default user role ?
You can do two things :
- You can configure a MOBILE-ROLE under the "Machine Authentication : Default user role" and allow the mobile devices connect and under the role assign the Guest VLAN
- If you want to fully deny access just assign a denyall role under "Machine Authentication : Default user role"
Here's the modern way to do the portal redirect, the server initiated way (CPPM pushes down portal/...
Here's the modern way to do the portal redirect, the server initiated way (CPPM pushes down portal/ACL info) based on an unknown host.. In this method you don't have to do the portal or portal free-rules on the box.
The only thing you have to define is the ACL because Comware doesn't support downloadable ACLs at this time. In the ACL you can open them up to the wide IP or you can specify them down to the port levels, in the example below its a mix. I'm using port-security in this example below, but it makes no difference if you're using mac-auth/dot1x without port-security.
I'll follow up on the CPPM config in another post:
dot1x authentication-method eap
port link-type hybrid
port hybrid vlan 1
undo dot1x handshake
dot1x mandatory-domain cppm
undo dot1x multicast-trigger
mac-authentication domain cppm
port-security port-mode mac-else-userlogin-secure-ext
acl number 3001 name PORTAL-REDIRECT
rule 0 permit ip destination 172.16.1.12 0 <- CPPM Server
rule 1 permit ip destination 192.168.1.1 0 <- Gateway to PING Check
rule 2 permit ip destination 10.1.1.1 0 <- DNS server
rule 5 permit udp destination-port eq bootp <- Permit DHCP
radius session-control enable
radius scheme cppm
primary authentication 172.16.1.12
primary accounting 172.16.1.12
key authentication simple radius
key accounting simple radius
radius dynamic-author server
client ip 172.16.1.12 key simple radius
authentication lan-access radius-scheme cppm
accounting default radius-scheme cppm
authorization default radius-scheme cppm
[HPE]display mac-authentication connection
Slot ID: 1
User MAC address: 6431-50a1-8e3d
Access interface: GigabitEthernet1/0/1
Authentication domain: 8021x
Initial VLAN: 1
Authorization untagged VLAN: N/A
Authorization tagged VLAN: N/A
Authorization ACL ID: 3001
Authorization user profile: N/A
Authorization URL: https://172.16.1.12/guest/hpeaoswiredguest.php
Termination action: N/A
Session timeout period: N/A
Online from: 2016/06/08 02:32:27
Online duration: 0h 0m 2s