Clearpass tablets smartphones and company devices rules


I got a requirement of a company which he wants the fallowing


If the computer is on the Active directory  he has a role which can access everything

if the user has a tablet with android or a smartphone with his user and password of AD he just got internet


I know how to do this but my issue is the fallowing i know how to do it by doing it by operating system...

If it android IOS well just the role of just internet

If its windows then allow it to the internal network


But then if it comes with awindows 8 tablet or windows 7 tablet a personal one then he will have access

How can i do that just the laptops that are on active directory are the ones that can have access to the internal network...

and if they client brings a computer a personal one that is a windows 7 he does not have access maybe just access to intenret...


I tihink it can be done but what paramethers i should use on the service so it can be done correctly




Product Manager - Aruba Networks
Alternetworks Corp
MVP Guru

Re: Clearpass tablets smartphones and company devices rules


You can definetily do this .


We are currently doing something similar where we match an AD group in combination with the device type and place it in a Role/VLAN on the controller and we are still using the same SSID/Clearpass service


You can use a combination of this :


With this :


ClearPass Policy Manager - Aruba Networks_2013-07-31_15-26-22.png


And you can create a role mapping matching the win 7 devices or win 8 and you can place this in different roles in the controller


ClearPass Policy Manager - Aruba Networks_2013-07-31_15-31-23.png


Thank you

Victor Fabian
Lead Mobility Architect @WEI
Guru Elite

Re: Clearpass tablets smartphones and company devices rules

On top of the AOS device type, you can also reference the ClearPass endpoint profiling dataL


endpoint db.png


You could also do machine authentication which can authenticate the computer against AD instead of or along with the user.

| Tim Cappalli | Aruba Security | @timcappalli | |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Contributor I

Re: Clearpass tablets smartphones and company devices rules

If you are talking only Domain Computers having full access, then you can use the [Machine Authenticated] attribute.  Since personal devices are most likely not going to be joined to the domain, that would eliminate them as [Machine Authenticated] right off the bat without any worry about ensuring that the device has been profiled.

Jeremy R. Wirtz
WLAN Systems Engineer
Search Airheads
Showing results for 
Search instead for 
Did you mean: