last person joined: yesterday 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Blacklisting Guests with a Captive Portal

Jump to Best Answer
This thread has been viewed 0 times
  • 1.  Blacklisting Guests with a Captive Portal

    Posted Nov 10, 2016 11:44 AM

    I'm working on booting employees from my guest network so that they connect to the 802.1x network.


    The guest network is open with self registration.


    My plan was to use a SHL in CPPM and assign a different role that would send them to a captive portal with a nice message. It worked...half way. During the initial MAC Auth, CPPM would send back a RADIUS REJECT and a Aruba-User-Role that I wanted, but the controller keeps putting the client into the initial group. I also tried a CoA enforcement profile, but that didn't seem to help.


    The more I think about it, there isn't a way to do what I want in this way right? Because the client isn't authenticated yet, it is ALWAYS going to get the initial role from the AAA profile. Is there a way to force this, or am I going about it wrong?


    (Note: I did find that if I created a guest device account and assigned the 'banned-guest-role' it does work as desired, I just figured a SHL would be easier to manage)



  • 2.  RE: Blacklisting Guests with a Captive Portal
    Best Answer

    Posted Nov 10, 2016 11:49 AM
    You'll want to use Allow All MAC-Auth in your MAC authentication policy and
    then use authorization to steer your users.

  • 3.  RE: Blacklisting Guests with a Captive Portal

    Posted Nov 10, 2016 02:22 PM

    Thank you!


    I ended up creating a new service that will only match on SHL (Probably redundant) and in that service I created a new new MAC Authentication that allows unknown end-hosts (so now they get RADIUS accept instead of reject). From there the authorization and enforcement sends them to the Banned Guest role and thus to the captive portal.