Hi Experts,Deeply appreciate if you guys could reverse engineer what is being done in this video:Aruba ClearPass Onboarding using Device Registration - YouTubeThis is exactly what we require in our environment but unfortunately the content creator (Jason Atkins) had disabled comments & I have no info on how I can further reach out to him for this implementation.From what I comprehend:
1) RADIUS Service created (School_Secure) = Doesn't seem that it's created using the Guest Authentication with MAC Caching Service Template, as demonstrated by Herman (Aruba ClearPass Workshop (2021) - Guest Access #1 Aruba Instant Wireless Guest (getting started) - YouTube)
a) Jason probably created the School_Secure RADIUS service manually with the following set:
i) Authentication Method = EAP PEAP (because there is not device / user cert used for EAP-TLS)ii) Authentication Source = ADiii) Authorization? = Additional authorization sources from which to fetch role-mapping attribute = ?iv) Roles = Authorization:AD:memberOf Contains Students (my guess) with [Device Registration] role assignedv) Enforcement = Tips:Role EQUALS [Device Registration] with School_Secure - DeviceRego Enforcement Profile assigned (Probably VLAN assignment only?)2) User attempts to browse to Internet & is instead thrown into Captive Portal = where do I set this? & how can I configure it to accept AD credentials instead of the default "Your Name" & "E-mail Address" fields in the Guest Self-Registration page? Is this somehow using Onboard instead?3) The School WiFi Register BYOD Device page seems to be using a modified version of the Guest Operator Logins:i) Service = Application Name EQUALS Guest....not sure if there's anything else required
ii) Authentication Sources = AD only?iii) Roles = Authorization:AD:memberOf Contains Students (my guess) with another [Device Registration] role assigned?iv) Enforcement = Tips:Role EQUALS [Device Registration] with Student_device_Rego Enforcement Profile assigned (Probably VLAN assignment again?)4) Once successfully registered, Webauth bounce port service is triggered (I'm wondering what are the conditions set for this?)5) Once bounced, the client seems to hit the same RADIUS service (School_Secure) but this time using a different Enforcement Profile (School_Secure - StudentBYOD instead of School_Secure - DeviceRego)? Is this even possible? & how should I configure it?Thanks everyone! :)
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.