Security

Hey all,

 

Looking to implement a blacklist on our Guest SSID that will not allow our staff workstations to connect. The SSID is using captive portal for authentication, RADIUS for Secure SSID, no ClearPass.

 

Ultimately, we're a Chrome OS shop internally, and we need to prevent Chrome devices from connecting to that network completley. The reason is once they do connect the devices prefer the open network over our secure wireless and it is taking progressively more resources to revert the changes made by the users.

 

I have a list of all staff device MAC addresses and it is actively maintained, I just need a way to prevent these addresses from connecting to the guest network. CLI would be preferred so that it could be automated through a script. Kind of an Aruba n00b, so please be verbose with your explanation/commands.

 

Somewhat lost and unable to find anything in previous posts, anyone have a script their using that they would like to share? Or care to write one for this scenario?

 

Thanks in advance.

 

You can just stamp an endpoint attribute when they successfully authenticate to your secure network and then add a rule in your guest enforcement policy that checks for the attribute.

Upon reading the info you provided it appeared as though this would require ClearPass 6.0.x and above. Is it possible to add endpoint attributes without using ClearPass?

 

It would be preferable to have a single command that would prevent a specified host/MAC address from connecting to one of our SSIDs, but allowing it on all the others. I can script from there, just need the specific command for MAC filtering on a single SSID.