Security

last person joined: an hour ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Blacklisting Guests with a Captive Portal

Jump to Best Answer
  • 1.  Blacklisting Guests with a Captive Portal

    Posted Nov 10, 2016 11:44 AM

    I'm working on booting employees from my guest network so that they connect to the 802.1x network.

     

    The guest network is open with self registration.

     

    My plan was to use a SHL in CPPM and assign a different role that would send them to a captive portal with a nice message. It worked...half way. During the initial MAC Auth, CPPM would send back a RADIUS REJECT and a Aruba-User-Role that I wanted, but the controller keeps putting the client into the initial group. I also tried a CoA enforcement profile, but that didn't seem to help.

     

    The more I think about it, there isn't a way to do what I want in this way right? Because the client isn't authenticated yet, it is ALWAYS going to get the initial role from the AAA profile. Is there a way to force this, or am I going about it wrong?

     

    (Note: I did find that if I created a guest device account and assigned the 'banned-guest-role' it does work as desired, I just figured a SHL would be easier to manage)

     

    Thanks!



  • 2.  RE: Blacklisting Guests with a Captive Portal
    Best Answer

    Posted Nov 10, 2016 11:49 AM
    You'll want to use Allow All MAC-Auth in your MAC authentication policy and
    then use authorization to steer your users.


  • 3.  RE: Blacklisting Guests with a Captive Portal

    Posted Nov 10, 2016 02:22 PM

    Thank you!

     

    I ended up creating a new service that will only match on SHL (Probably redundant) and in that service I created a new new MAC Authentication that allows unknown end-hosts (so now they get RADIUS accept instead of reject). From there the authorization and enforcement sends them to the Banned Guest role and thus to the captive portal.