Security

Hello's

Here is the situ.

Controller based Environment. Captive portal that uses ClearPass as the AAA server. Users bring their AppleTv's to the environment and associate to this SSID. Here are my challenges/qustions.

1) Association to the Captive Portal SSID gives you a limited access initial role. We want the AppleTv's to associate to this SSID and immediately transition to the Guest Role.

2) To this effect, I thought that I could enable the user population as users of ClearPass. They log in with their AD credentials and Create Device/register their AppleTv's. Once they do this, if the AppleTv associates to the Captive Portal SSID it should immediately transition to the Guest role. A requirement is that I should be able to see that AppleTV "ABC "belongs to user "XYZ." By the user registering the device i can querry CP and see who owns the device.

Is this possible? I'm getting conflicting responses and all trials have failed on my end.

thanks for your time,

Sky. 

Yes you can do this.

You'll need to add the "Guest Device Repository" as an authentication source on your guest MAC authentication service and then add a rule to the enforcement policy that returns the correct role for the AppleTV.

The username will need to match exactly (including email domain) for users to be able to see their own devices. For example, cappalli and cappalli@brandeis.edu are different usernames and will not be able to see each others personal devices.

Thanks for your quick response.

How do the users register their devices using CP because my problem here is the AppleTV does not have a GUI for the user to enter their username and password. All  they can do is associate to the SSID. 

So my thought was they have to register it by logging into CP as a limited Operator with certain rights. And from your Email i'm assuming that by creating this device in CP it should end ip in the Guest Device Repository and thus allow the device to transition from initial role to authenticated role

thanks 

They would register the MAC address of the Apple TV using the device registration screen and clicking the "Enable AirGroup" button.

Tim,

Many thanks for your response. What is confusing about this is Aruba Support told me this was not possible and this after being on the phone with the for hours told me "not doable".

If i may ask, what version of CP are you running? I'm running ver 6.3.0.6.0730. When i click on Create Device i don't have the "Enable AirGroup" check. See attached file.

I'm running 6.3.1.

I had that issue on a test system with 6.3.0 where the AirGroup box wasn't there. Contact TAC. 

Tim,

thanks much for your help. I was getting very worried there after my TAC call. I'll call back in get things sorted out.

thanks again,

Sky.