Thanks Fabian Klaring for the clarification.
Another challenge: I tried testing BYOD and Guest wired. The objective is to allow employees connect with a BYOD laptop to an ArubaOS switch port and be presented with a captive portal to enter their AD username and password; and if successfully authenticated, they gain Internet access only.
Also, a guest should be able to connect his/her laptop to a switch port and be redirected to a captive portal as well for guest user account authentication. Should a guest user account exists, only Internet access is granted; else, the guest can register via the captive portal to get sponsored by an employee.
On the ArubaOS switch, I configured 2 local user roles - one that maps to a captive-portal profile for redirect to CPPM, and the other one that maps a policy for Internet access only. See details below.
class ipv4 "DNS"
10 match udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 53
exit
class ipv4 "DHCP"
10 match udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 67
exit
class ipv4 "INTERNAL"
10 match ip 0.0.0.0 255.255.255.255 10.0.0.0 0.255.255.255
exit
class ipv4 "IP-ANY-ANY"
10 match ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
class ipv4 "WEB-TRAFFIC"
10 match tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 80
exit
class ipv4 "CLEARPASS-WEB"
10 match tcp 0.0.0.0 255.255.255.255 10.100.1.44 0.0.0.0 eq 80
20 match tcp 0.0.0.0 255.255.255.255 10.100.1.44 0.0.0.0 eq 443
exit
policy user "BYOD_GUEST_WIRED"
10 class ipv4 "DNS" action permit
20 class ipv4 "DHCP" action permit
30 class ipv4 "INTERNAL" action deny
40 class ipv4 "IP-ANY-ANY" action permit
exit
policy user "CLEARPASS-REDIRECT"
10 class ipv4 "DNS" action permit
20 class ipv4 "DHCP" action permit
30 class ipv4 "CLEARPASS-WEB" action permit
40 class ipv4 "WEB-TRAFFIC" action redirect captive-portal
aaa authorization user-role enable
aaa authentication port-access eap-radius
aaa authentication captive-portal enable
aaa port-access authenticator 18-20
aaa port-access authenticator 18 client-limit 2
aaa port-access authenticator 19 client-limit 2
aaa port-access authenticator 20 client-limit 2
aaa port-access authenticator active
aaa port-access mac-based 18-20
aaa port-access mac-based 18 addr-limit 2
aaa port-access mac-based 19 addr-limit 2
aaa port-access mac-based 20 addr-limit 2
aaa authorization user-role name "Wired_BYOD_Guest"
policy "BYOD_GUEST_WIRED"
reauth-period 21600
vlan-id 247
exit
aaa authorization user-role name "Wired_BYOD_Guest_Profile"
captive-portal-profile "use-radius-vsa"
policy "CLEARPASS-REDIRECT"
vlan-id 247
exit
radius-server host 10.100.1.44 encrypted-key "xxxxxxxxxx"
radius-server host 10.100.1.44 dyn-authorization
radius-server host 10.100.1.44 time-window plus-or-minus-time-window
radius-server host 10.100.1.44 time-window 0
ip source-interface radius vlan 144
vlan 247
name "BYOD_Guest_VLAN"
untagged 18-20
tagged 24
ip address 192.168.10.2 255.255.255.0
exit
interface 18-20
untagged vlan 247
aaa port-access authenticator
aaa port-access authenticator client-limit 2
aaa port-access mac-based
aaa port-access mac-based addr-limit 2
exit
-------------------------------------------------------------------------
BYOD wired test worked fine. I have 3 services on CPPM - MAC Auth, 802.1x, and WEBAUTH. However, its successful test created an issue for domain-joined PCs/laptops undergoing machine authentication. Right now, a domain-join PC matches both MAC Auth and 802.1x service at the same time, and this makes the domain-PC and even the IP Phones to get stuck at the captive portal page under VLAN 247.
Is there a way to force domain-join PCs out of MAC Auth to match the 802.1x service only. The PCs use Windows supplicant and the authentication method for the 802.1x service is EAP-PEAP and EAP-MSCHAPv2.
I appreciate any advice for best practices in this kind of scenarios.