@mwallen wrote:
This would not be 1x authentication, but connect on the guest network, which is open with a captive portal. For some devices that dont support 1x we have them on the guest network and i use a host list so i can map them to a user role on the regular network. This is what the guys said to do when we implemented the system.
In this case we have a subnet/vlan for wireless TVs/ digital signage. They will be given static IP's and connected to the guest network since they cannot do 1x. When creating a static host list one of the options is to use an IP range so this seemed like the best way to handle this scenario rather then having to manually enter in each MAC address into the list.
So,
Let's walk through this:
You have devices you want to connect with static ip addresses to a guest network.
You want to authenticate them based on their ip address.
- There is no way to do this, because on an Open network, the only two ways you can authenticate devices (send information to a server for authentication) is with a Captive Portal, Or Mac authentication. "Dumb" devices cannot do captive portal so you are only left with mac authentication. You cannot authenticate devices based on their specific ip address. There is a parameter called IETF-Framed-IP-Address, but it is not passed during MAC authentication.
I personally think you are stuck with MAC authentication (a list of mac addresses).
OR-- if the devices you are placing on the network have the same prefix, you can use a user derivation rule on the controller to detect the MAC OUI of those devices and place them in an elevated role on the guest network. Here is an article of how you would do that: http://community.arubanetworks.com/t5/Community-Tribal-Knowledge-Base/PSK-MAC-Address-based-VLAN-Steering/ta-p/85212 The suggestion in the thread mentions a PSK network, but you can do it with an Open/Captive portal network just by adding a user derivation rule to the AAA profile. It would look for the OUI of the sign and then change the role of it, so that you can pass traffic back and forth to that sign, regardless of the ip address.