Hi all.
I've currently got ClearPass performing authentication for my various 802.1X networks, and I'm hoping to relocated my guest Captive Portal from the controller to ClearPass. I'm currently in the testing phase over here.
What I've gotten going so far, with a combination of TAC and PS, is this:
A user connects to Guest and gets redirected to the CP page. They can click "I accept", in which case they end up in the CP_Guest role, or they can click "Employee logon", in which case they get redirected to another page. On that page they can login with their AD creds, and if successful, end up in the CP_Employee role.
Both roles actually dump people to the same VLAN, the only difference being that the caching time assigned to those who get CP_Guest is 24 hours, and the caching time assigned to those who get CP_Employee is one month. The session time for each role is also set so that CP_Guest's session is 24 hours, and CP_Employee's session is one month.
(The primary reason for this entire thing is that the #1 complaint about our wireless is employees complaining about having to sign back in every day).
And what I've got configured so far is actually working pretty well. I've just found one small problem: When someone in CP_Employee leaves campus, and then returns, they end up in the CP_Guest role.
The reason for this is that the Services are setup such that checking the MAC cache comes first, so that those who are already cached just get straight onto the Guest with no issue. Then, the next policy is the one that handles the Captive Portal page.
I guess my question would be...is there a way to set some flag or attribute such that when someone authenticates and gets into the CP_Employee role, that when they return and hit the MAC cache policy that attribute can be used as part of the conditions to determine which Role they end up in?
Currently, this isn't really a big deal, since the primary objective of the length of the caching and session timers is working correctly, and CP_Guest and CP_Employee are currently only differentiated by the size of their bandwidth contracts. But it's always possible design decisions will change and we want to be able to process employees and guests separately. And, of course, I'd rather get this worked out ahead of cutting over to the ClearPass captive portal for production.