This community is currently in a read-only state due to a maintenance window. For more info click here
Occasional Contributor I

Clearpass with Active directory

I have a simple scenario as below: 

- Have aruba OS switch 

- Create service: 802.1X wired

- Authentication source: Active directory 

I want if user exists in AD will be assigned to VLAN 10 

and if user not exists in AD assigned to Guest VLAN 20 


- all works fine except that non AD users get denied and the error is that user is not member of AD (error 216) 


how can I make non AD be assigned to guest VLAN as I tried many options and every time I got 216 error saying user is not member of AD while in Role mapping I defined guest as not member of any group



Re: Clearpass with Active directory

so basically the user not in AD is failing dot1x authentication, correct?

in that case it will never gets to the authz part of the policy.

you need to have a MAC auth service so that the wired users that fail the dot1x auth, can go through a MAC auth service. Then you can select a specific workflow that suits your env. for example you can get  them redirected to captive portal, etc.


you can refer to the following tech note on Wired policy enforcement with ClearPass.

If a reply adequately addresses your issue, please click on the "Accept as Solution"
Search Airheads
Showing results for 
Search instead for 
Did you mean: