Security

Reply
Highlighted
Occasional Contributor II

Guest role when machine authentication fail

Dear All,

One of cleinet requested to configure the clearpass as below. All laptopes which are ascociated with AD, need only mechine authentication. If mechine authentication fail, the laptos should go to guest-logon (guest captive portal should come up and will treat as guest). Same time the smart phones should go for user authentication (should connect by using own AD useranme and password).

 

Here the guest captive portal is working fine as per service for Guest.

 

I configured the mechine authentication and working fine. But once mechine authentication fail, both the Laptopes and smart phones are trying for user authentication (challenging for AD username and password). Any idea?

 

Untitled.png

Guru Elite

Re: Guest role when machine authentication fail

In principle, you would check in ClearPass to see if the device has passed user authentication, and you would return the aruba-user-role attribute of "guest-logon".  


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Occasional Contributor II

Re: Guest role when machine authentication fail

Thamks cjoseph for your respnse.

 

Here the exact requirements fro the client;

- If a laptop user failed the mechine authentication, A message should show-up to "conatct IT department", istead of going to user authentication.
- if a smartphone user faild mechine authentication, it should go to user authentication

 

Is there any work around for this?

 

Reg,

Shamz

Guru Elite

Re: Guest role when machine authentication fail

That is not a good flowchart.  If this is 802.1x, and a device fails authentication (machine or otherwise) it does not get an ip address, so there is nothing to redirect anywhere.

 

A device cannot be prompted to machine authenticate.  It can attempt with a username of host/<machine name>.  Again, if it fails, it doesn't get an ip address, so there is nothing to redirect.

 

If your customer only wants an SSID ONLY for devices that can machine authenticate, they should only accept devices in the domain machines AD group and reject anything else.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: