Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

ClearPass Guest system self-register authorization problem

This thread has been viewed 0 times

  • 1.  ClearPass Guest system self-register authorization problem

    Posted Dec 12, 2013 08:56 AM

    I use the service-template to configure the Guest sytem in CPPM (Guest Access);I use all of them are created by default;

    When I connect the Guest SSID, authentication when there is no problem,But I don't want visitors to access the company internal network,So I made enforcement polices;When I connect again Guest SSID enforcement polices is of no effect。

     

    How do I configure don't allow visitors to access the internal network ??

     

    Thanks!



  • 2.  RE: ClearPass Guest system self-register authorization problem

    Posted Dec 12, 2013 09:01 AM

     

    You should define that in the Guest-Role in the controller, once the user gets placed on that role you identify what segments you don't want those users to get to



  • 3.  RE: ClearPass Guest system self-register authorization problem

    Posted Dec 12, 2013 09:11 AM

    Wireless Controller is CISCO , After connecting the Guest SSID will be redirected to a page(https://x.x.x.x/guest/guest.php), then self-register account ,then login in ,then authentication is successful; At the moment, can access the Internet and corporate Intranet,I don't want to self - register the account to be able to access the internal network,Enforcement polices on how to do??



  • 4.  RE: ClearPass Guest system self-register authorization problem

    EMPLOYEE
    Posted Dec 12, 2013 09:13 AM

    You would need to configure ACLs either on the wireless controller or the upstream switch to block access to the corporate network.



  • 5.  RE: ClearPass Guest system self-register authorization problem

    Posted Dec 12, 2013 09:15 AM

    Can't use enforcement police do??



  • 6.  RE: ClearPass Guest system self-register authorization problem

    EMPLOYEE
    Posted Dec 12, 2013 09:17 AM

    Enforcement profiles tell the network device what to do. In Aruba land, that means telling the controller or switch to put the device into a certain role which has ACLs attached. Since Cisco does not use the role concept, you need to send back the VLAN and then use ACLs on the controller or upstream switch to block access.



  • 7.  RE: ClearPass Guest system self-register authorization problem

    Posted Dec 12, 2013 09:16 AM

     

     

    The enforcement profile determines the ACTION (VLAN,Role ,etc) but that needs to be define on the controller 



  • 8.  RE: ClearPass Guest system self-register authorization problem

    Posted Dec 12, 2013 09:20 AM
      |   view attached

    I do the authorization of the vlan, but I don't take effect;

     

    How to do it??



  • 9.  RE: ClearPass Guest system self-register authorization problem

    Posted Dec 12, 2013 09:21 AM

    Can you please share the enfor profile?

     

    Do you have that VLAN define on your controller as well ?



  • 10.  RE: ClearPass Guest system self-register authorization problem

    Posted Dec 12, 2013 09:28 AM
      |   view attached

    profiles,As shown in figure



  • 11.  RE: ClearPass Guest system self-register authorization problem

    Posted Dec 12, 2013 09:31 AM
      |   view attached

    I deployed 802.1 x the enforcement of police is to take effect,Guest system is not;Use of the service, as shown in figure;



  • 12.  RE: ClearPass Guest system self-register authorization problem

    Posted Dec 15, 2013 06:19 AM
    Allen, can you export the associated AccessTracker events - so that we can see explicitly what CPPM thinks it is applying?


  • 13.  RE: ClearPass Guest system self-register authorization problem

    EMPLOYEE
    Posted Dec 16, 2013 10:54 AM
    Allen can you send me a private message with your contact info so I can have a local SE contact you. For some reason it wont let me send one to you. Just put my username in the send to field tarnold