We allow users to login to WiFi based on their Username and Password in Active Directory. This is set through WPA-2 Enterprise security Authenticated through our RADIUS server. We have a few generic user accounts that are only needed for hard-wired workstations to perform specific tasks. However, some users have taken these credentials and are logging in on their personal devices to gain WiFi access. We want to discourage this, forcing the users to use their own assigned user accounts for this purpose.
We currently have Security Access Rules for this SSID set to Network-Based. Would we need to set this to Role-Based to facilitate the following?
IF "USERNAME" is a MemberOf the AD security group "wifiBlacklist", THEN set-role to No Access.
I'd like to put the generic accounts into a WiFi Blacklist security group, so these accounts are not abused. Users could still login on their personal devices under their own user accounts. A simple answer to the WiFi problem would be to eliminate the generic accounts, but we are not able to do that immediately due to their use on the wired network.
Any and all suggestions on how to set this in ClearPass and/or within the Aruba Virtual Controller would be helpful.
Thanks!