Hi everyone,
I saw a somewhat similar post on this subject from 2012, but my scenario is a bit different.
I work for a school district. Using a *single* SSID, this is what I would like to accomplish. Some of it already works; I'll explain below.
1) Allow staff and students to authenticate on a mobile device. Staff have full access to the internal network and internet; students have internet only plus certain internal resources.
2) Allow machines (both Windows and MacOS) to authenticate via machine authentication.
3) Allow district-supplied mobile devices (mainly iPads and Chromebooks) that are shared among multiple students to authenticate via certificate instead of being tied to a specific username and password, or using a WPA2-PSK network (not secure if the password gets out, which it already has).
Our current setup is:
- Aruba 3200, 3400, or 3600 controllers at each school site (depending on school size)
- Aruba 3600 master controller at District Office
- Microsoft NPS running on Server 2008 Enterprise
- ClearPass evaluation, which we will be buying soon
Curently, #1 and #2 above work...mostly. Staff and Students belong to different AD groups, and when a user authenticates on their mobile device (as in #1), NPS passes a "Class" attribute back to the Aruba controller, which places the user into either a Student or Staff role. Windows workstations are joined to our AD domain and authenticate automatically via machine authentication as soon as they boot (Windows XP requires some registry tweaking, but 7 and 8 work with just a couple of setting changes). MacOS machines running Mountain Lion or Mavericks can join our AD domain and then use a Mobileconfig profile that contains the RADIUS server certificate and wireless settings to authenticate, download the AD certificate, and connect to the network. I said "mostly" above because earlier MacOS revisions, while they can join an AD domain, are not able to use the Mobileconfig profile.
#3 is what I am currently experimenting with using ClearPass. Right now, it works if I use a separate SSID for the device to connect after completing the onboarding process. I would like to use the same SSID, but right now, it doesn't work. I think I know why, but I don't know how to fix it. I believe the problem is that when I connect to the same SSID, the device is still then trying to authenticate to my Microsoft NPS server instead of to ClearPass. So the question is, how can I get my controller configuration to know whether the device trying to authenticate is requesting certificate or user authentication, and then direct them to the proper RADIUS server (NPS or ClearPass)? And then would directing certificate-based authentication requests to ClearPass instead of NPS affect my Windows machines using machine authentication? (I know it would probably affect the Macs, but I could use ClearPass to enroll the Macs just like enrolling an iOS or Android device. That could also help the Macs running Lion or earlier.)
Thanks!
#3400#3600#3200