Security

I'm working on booting employees from my guest network so that they connect to the 802.1x network.

 

The guest network is open with self registration.

 

My plan was to use a SHL in CPPM and assign a different role that would send them to a captive portal with a nice message. It worked...half way. During the initial MAC Auth, CPPM would send back a RADIUS REJECT and a Aruba-User-Role that I wanted, but the controller keeps putting the client into the initial group. I also tried a CoA enforcement profile, but that didn't seem to help.

 

The more I think about it, there isn't a way to do what I want in this way right? Because the client isn't authenticated yet, it is ALWAYS going to get the initial role from the AAA profile. Is there a way to force this, or am I going about it wrong?

 

(Note: I did find that if I created a guest device account and assigned the 'banned-guest-role' it does work as desired, I just figured a SHL would be easier to manage)

 

Thanks!

You'll want to use Allow All MAC-Auth in your MAC authentication policy and
then use authorization to steer your users.

Thank you!

 

I ended up creating a new service that will only match on SHL (Probably redundant) and in that service I created a new new MAC Authentication that allows unknown end-hosts (so now they get RADIUS accept instead of reject). From there the authorization and enforcement sends them to the Banned Guest role and thus to the captive portal.