Security

For context, we're testing this right now using IAP's.  Production environment will be IAP's as well.

We have ClearPass Guest up and running.  Captive Portal, self registration, Guest receive a 24 hour mac auth.  What we want to do is use the same SSID for existing employee BYOD devices and not force them to register through the captive portal.  These BYOD devices have a certificate issued by an internal CA and I was hoping to use that as an authentication mechanism to bypass the captive portal.  Basically have ClearPass check for a valid certificate on the client device and, if found, the device / user would be given the Employee role.  If not found, the device / user is redirected to the captive portal.  I'm sure there are a number of ways to go about this, but I'd like to try and follow best practices.  Any ideas would be greatly appreciated.

We are with corporate owned laptops and desktops.  These devices are employee owned IOS and Android devices.  In order for an employee to use them for company email and such, they must install the company's MDM solution (XenMobile) which creates a device certificate for each enrolled device.  But because the device is employee owned, we don't want it on the internal network like laptops and desktops and want to give those devices internet access ONLY.  So we're dropping them on the guest network for this reason.  Was hoping that I could use that certificate as a way to identify employee owned BYOD devices and have them bypass the guest registration and simply just allow them access to the guest network given the presence of the MDM provided cert.

You can still have them connect to the same SSID and drop them into a different role / VLAN, giving them the same access as if they were connected to the guest SSID.

You can push the network configuration via the MDM and everyone will seamelessly connect without any interaction.

I'll give that a go.  Thank you for the quick reponse and ideas.