Security

I know this topic is getting old, but would like to know what you guys are doing with this issue, cause if i don't find a solution or workaround my boss would proberly make me drop clearpass as our guest solution.

My dream is to have 2 ssid in our network, a secure 1 for eap-tls and 1 for open (guest with sms, onboard, mac auth, voucher, ad login). right now it works with all the things except onboard and we ar using another guest solution that support guest with sms, ad login and voucher.

Right now my issue with clearpass guest is that you have to disable apple cna to get clearpass guest to work with multiple homepages cause my startpage is guest sms, and i'v got buttons for ad login, onboard and vouchers, but we got about 2000 ipads and 1000 iphones, and people are reseting the devices alot, and you can't use a open ssid with cna disable on a reset/new apple device cause it won't open the captive portal wothout that, and we have alot of guests that uses apple devices on our network and we get call's all the time cause So how are our guys/girls solving this issue? is it possible? or do i need to go 3 ssid solution, secure, open (with cna enable), open (with cna disable)

 

Morten.

3 SSIDs would be the ultimate solution for your requirement

k, is that only because of onboard? or is it because of the multiple authentication im using, sms, vouchers, ad login.

 

what should i have on the ssid? sms, voucher, ad login on the 1 with cna enable and onboard on the 1 with cna disable?

Exactly. Onboard can’t be completed with the mini-browser that Apple provides for CNA, which is why it gets bypassed for that use case.

Either that, or enable CNA on the open SSID and have users who need onboarding go an onboarding URL manually after successfully getting connected. People needing to onboard should be a less frequent use case than guests/ad/etc.