Security

Dear All,

One of cleinet requested to configure the clearpass as below. All laptopes which are ascociated with AD, need only mechine authentication. If mechine authentication fail, the laptos should go to guest-logon (guest captive portal should come up and will treat as guest). Same time the smart phones should go for user authentication (should connect by using own AD useranme and password).

Here the guest captive portal is working fine as per service for Guest.

I configured the mechine authentication and working fine. But once mechine authentication fail, both the Laptopes and smart phones are trying for user authentication (challenging for AD username and password). Any idea?

In principle, you would check in ClearPass to see if the device has passed user authentication, and you would return the aruba-user-role attribute of "guest-logon".  

Thamks cjoseph for your respnse.

Here the exact requirements fro the client;

- If a laptop user failed the mechine authentication, A message should show-up to "conatct IT department", istead of going to user authentication.
- if a smartphone user faild mechine authentication, it should go to user authentication

Is there any work around for this?

Reg,

Shamz

That is not a good flowchart.  If this is 802.1x, and a device fails authentication (machine or otherwise) it does not get an ip address, so there is nothing to redirect anywhere.

A device cannot be prompted to machine authenticate.  It can attempt with a username of host/<machine name>.  Again, if it fails, it doesn't get an ip address, so there is nothing to redirect.

If your customer only wants an SSID ONLY for devices that can machine authenticate, they should only accept devices in the domain machines AD group and reject anything else.