Random mac addresses complicate how to reliably check that user has only one machine. If user delete wlan profile and reconnect machine, it will get new mac address for the same device and will not be able to connect. So you will need to have a process for help desk to delete old devices from endpoint database. Not sure if you really want to go this route.
Best, Gorazd
------------------------------
Gorazd Kikelj
MVP Guru 2024
------------------------------
Original Message:
Sent: Jul 18, 2024 06:28 PM
From: Juan Diaz
Subject: Guess Access Scenario
If using Clearpass you could set this up using the guest services and create a landing page for staff and another for students/guests. Staff landing page would hit the service checking AD credentials or email domain, and then apply a time marker so clearpass checks for that time expiration and if it's been beyond the 30 days it will require a re-authentication.). You can use Role Mapping to group these conditions together, and then call on that role in the enforcement policy.
Guest and students accounts will be created on the fly and then expire after the time you've set. 1 day for example. Limiting to 1 device may be tough if your guest start using another account to authenticate (many users have multiple email addresses that they could use), but you could at least limit it to 1 device per account registered.
I haven't looked into Aruba Central, but knowing it can connect with Entra and use that to authenticate users, you may have some option with the Role assignment and Captive portals created within Central.
Original Message:
Sent: Jul 17, 2024 12:32 PM
From: Jim Cox
Subject: Guess Access Scenario
We are a school district that would like to setup captive portals for students and staff/guests that would behave differently. I would like to have staff register their personal devices for Internet access once every 30 days. Students and guests would need to authenticate daily and be restricted to 1 device. I am struggling how to set this to allow only staff to use one of the captive portals (i.e. restrict by email domain) then everyone else be permitted to use the other (all other email domains).
Any suggestion on how i could accomplish this would be appreciated.
Thanks in advance!