Clearpass with Active directory
08-05-2019 09:12 PM
I have a simple scenario as below:
- Have aruba OS switch
- Create service: 802.1X wired
- Authentication source: Active directory
I want if user exists in AD will be assigned to VLAN 10
and if user not exists in AD assigned to Guest VLAN 20
- all works fine except that non AD users get denied and the error is that user is not member of AD (error 216)
how can I make non AD be assigned to guest VLAN as I tried many options and every time I got 216 error saying user is not member of AD while in Role mapping I defined guest as not member of any group
Re: Clearpass with Active directory
08-06-2019 09:56 PM
so basically the user not in AD is failing dot1x authentication, correct?
in that case it will never gets to the authz part of the policy.
you need to have a MAC auth service so that the wired users that fail the dot1x auth, can go through a MAC auth service. Then you can select a specific workflow that suits your env. for example you can get them redirected to captive portal, etc.
you can refer to the following tech note on Wired policy enforcement with ClearPass.
If a reply adequately addresses your issue, please click on the "Accept as Solution"