I'm working on booting employees from my guest network so that they connect to the 802.1x network.
The guest network is open with self registration.
My plan was to use a SHL in CPPM and assign a different role that would send them to a captive portal with a nice message. It worked...half way. During the initial MAC Auth, CPPM would send back a RADIUS REJECT and a Aruba-User-Role that I wanted, but the controller keeps putting the client into the initial group. I also tried a CoA enforcement profile, but that didn't seem to help.
The more I think about it, there isn't a way to do what I want in this way right? Because the client isn't authenticated yet, it is ALWAYS going to get the initial role from the AAA profile. Is there a way to force this, or am I going about it wrong?
(Note: I did find that if I created a guest device account and assigned the 'banned-guest-role' it does work as desired, I just figured a SHL would be easier to manage)
I ended up creating a new service that will only match on SHL (Probably redundant) and in that service I created a new new MAC Authentication that allows unknown end-hosts (so now they get RADIUS accept instead of reject). From there the authorization and enforcement sends them to the Banned Guest role and thus to the captive portal.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2020 Hewlett Packard Enterprise Development LPAll Rights Reserved.