Security

I am using my Guest SSID for both guest logon and employee onboarding.  When the guest or employee logs in, they receive the same welcome page sent from the controller, which is just a custom Web Login page on ClearPass.  This page informs the guest that their login was successful and they are now connected.  It also provides a link for employees to go to the onboarding page.  There's potential for this to be confusing so I'd like to know if there's a way to direct guests to one page and employees to another after logging into the captive portal?

At that point of the connection/authentication process, the controller doesn't really know who they are.     Most guest networks will redirect all connections to a standard captive portal page. it is possible to have a different page presented to the user, but there must be a way to differentiate the user from a typical everyday guest to one that is an employee.  The method to do this would be to return a specific Aruba-User-Role in an Enforcement Policy which would have the captive portal profile assigned.   To make this work, a method of detecting this at connection is needed which may be the biggest obstacle.     When I've seen this in the past, usually customers will have a standard captive portal page for everyone an then some sort of link for employees to onboard their device if desired.

Thanks Clembo.

I wanted to provide a different Welcome page, not a different Login page as you're referring to.  Our guests and colleagues (wanting to onboard) login to the same captive portal.  After they login, I want to redirect them to different welcome pages.  (I can only send them to a single welcome page via the captive portal profile as far as I know.)  The guests would get a "thanks for logging in, you may now browse the web" message, and colleagues would receive the onboarding page.  I didn't want to expose the onboarding page to anyone connecting to the guest network, which is why we're making colleagues login to the guest captive portal first.  Then, they can click a link on the welcome page to onboard.  It may be unnecessary, but that's how it is currently setup.  It may just be easier to provide a link on the guest captive portal that sends them to the onboarding page.

Hi, did you ever figure this out or you added a link into the landing page and the user clicks there to go to a different landing page?

thanks

Hello ricardo

This is a 4 year old thread ;) Still - easiest way to achieve this would be by using a MAB setup. That way you can return the appropriate logon-role depending on a myriad of input parameters like ap-group, time of day, NAS ip etc.

MAB = Mac address bypass. You build a mac-auth (radius) service and a webauth service for the login authentication. You use CoA in the webauth to change the role to some type of authenticated once authentication goes through.

Would captuing the domain from the guest registration be an appropriate trigger in ClearPass to return a different role and therfore a different page?