Security

last person joined: 13 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Clearpass with Active directory

This thread has been viewed 13 times

  • 1.  Clearpass with Active directory

    Posted Aug 06, 2019 12:13 AM

    I have a simple scenario as below: 

    - Have aruba OS switch 

    - Create service: 802.1X wired

    - Authentication source: Active directory 

    I want if user exists in AD will be assigned to VLAN 10 

    and if user not exists in AD assigned to Guest VLAN 20 

     

    - all works fine except that non AD users get denied and the error is that user is not member of AD (error 216) 

     

    how can I make non AD be assigned to guest VLAN as I tried many options and every time I got 216 error saying user is not member of AD while in Role mapping I defined guest as not member of any group

     



  • 2.  RE: Clearpass with Active directory

    EMPLOYEE
    Posted Aug 07, 2019 12:56 AM

    so basically the user not in AD is failing dot1x authentication, correct?

    in that case it will never gets to the authz part of the policy.

    you need to have a MAC auth service so that the wired users that fail the dot1x auth, can go through a MAC auth service. Then you can select a specific workflow that suits your env. for example you can get  them redirected to captive portal, etc.

     

    you can refer to the following tech note on Wired policy enforcement with ClearPass.

     

    https://community.arubanetworks.com/t5/Security/ClearPass-Solution-Guide-Wired-Policy-Enforcement/td-p/298161