Cloud Managed Networks

 View Only
last person joined: yesterday 

Forum to discuss all things related to HPE Aruba Networking Central and UXI Network Management, including deployment of managed networks, configuration, best practices, APIs, Cloud Guest, AIOps, Presence Analytics, and other included Applications
Expand all | Collapse all

Guess Access Scenario

This thread has been viewed 17 times
  • 1.  Guess Access Scenario

    Posted Jul 18, 2024 10:02 AM

    We are a school district that would like to setup captive portals for students and staff/guests that would behave differently.   I would like to have staff register their personal devices for Internet access once every 30 days.   Students and guests would need to authenticate daily and be restricted to 1 device.   I am struggling how to set this to allow only staff to use one of the captive portals (i.e. restrict by email domain) then everyone else be permitted to use the other (all other email domains). 

    Any suggestion on how i could accomplish this would be appreciated.

    Thanks in advance!



  • 2.  RE: Guess Access Scenario

    Posted Jul 19, 2024 04:28 AM

    Ji Jim.

    With Clearpass I would use single captive portal and then act based on authentication and user role. For example students will get user role student with expiration time 24h and staff get role staff with expiration date 30 days. Using MAC caching I can check remaining time during device authentication and start captive portal when needed.

    If you are using Central then it depend on how you authenticate your users.

    Best, Gorazd



    ------------------------------
    Gorazd Kikelj
    MVP Guru 2024
    ------------------------------



  • 3.  RE: Guess Access Scenario

    Posted Jul 22, 2024 11:13 AM

    If using Clearpass you could set this up using the guest services and create a landing page for staff and another for students/guests. Staff landing page would hit the service checking AD credentials or email domain, and then apply a  time marker so clearpass checks for that time expiration and if it's been beyond the 30 days it will require a re-authentication.). You can use Role Mapping to group these conditions together, and then call on that role in the enforcement policy.

    Guest and students accounts will be created on the fly and then expire after the time you've set. 1 day for example. Limiting to 1 device may be tough if your guest start using another account to authenticate (many users have multiple email addresses that they could use), but you could at least limit it to 1 device per account registered.

    I haven't looked into Aruba Central, but knowing it can connect with Entra and use that to authenticate users, you may have some option with the Role assignment and Captive portals created within Central.




  • 4.  RE: Guess Access Scenario

    Posted Jul 22, 2024 11:36 AM

    Random mac addresses complicate how to reliably check that user has only one machine. If user delete wlan profile and reconnect machine, it will get new mac address for the same device and will not be able to connect. So you will need to have a process for help desk to delete old devices from endpoint database. Not sure if you really want to go this route.

    Best, Gorazd



    ------------------------------
    Gorazd Kikelj
    MVP Guru 2024
    ------------------------------