Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Non employee non standard laptop

This thread has been viewed 0 times

  • 1.  Non employee non standard laptop

    Posted Apr 24, 2019 02:51 PM

    Hi . This is probably the last requirement . for Wired access

     

    for few people like some consultants/Auditors connecting to Wired , we need a mechanism to get them access to captive portal but without an authentication which is possible using anonymous or auto  . but as these users dont have domain credentials for login , this portal can be even used by some other people . We can make a separate URL for captive portal for those users , but to avoid internal users or anyother users using that dedicated captive portal . Any other check which we can perform ? can we send that request to some one to approve first . Sponsor is not a requirement here 



  • 2.  RE: Non employee non standard laptop

    EMPLOYEE
    Posted Apr 24, 2019 02:54 PM
    Just put different buttons on the login page for different types of users.


  • 3.  RE: Non employee non standard laptop

    Posted Apr 24, 2019 03:01 PM

    Hi Tim ,

     

    Yes thanks , I just checked we can use sms notification . but this can be used by internal employees also or someone who knows the URL having a mobile   . i need a kind of authrization or dual factor for this category .



  • 4.  RE: Non employee non standard laptop

    EMPLOYEE
    Posted Apr 24, 2019 03:04 PM
    Use a self-registration with sponsor then.


  • 5.  RE: Non employee non standard laptop

    Posted Apr 24, 2019 03:14 PM

    Yes indeed thats the only option . but problem is 

     

    i want a normal captive portal for domain users having BYOD devices

     

    so how to return two different portals , on what basis i will distinguish because both have external Laptop - one is domain user and other is non domain user , so which captive portal to send is the problem .

     

    And as its L3 , can we directly provide captive portal URL to external consultant . without getting an IP , will it work ?



  • 6.  RE: Non employee non standard laptop

    Posted Apr 24, 2019 03:33 PM

    Any pointer in this direction Tim ?  how to redirect two different captive portals of dot1x and Mab fails 

     

    Portal 1 for users using BYOD but have domain credentials

     

    Portal 2 with Guest Sponsor  for users using BYOD but dont have domain credentials 



  • 7.  RE: Non employee non standard laptop

    Posted Apr 24, 2019 03:47 PM

    can we use Static Host List with mac adress of external non domain user in captive portal  service as authorization source ?  In that case web page will ask for user name and password but as user has no domain credentials , how static Host list work with captive portal ?



  • 8.  RE: Non employee non standard laptop

    Posted Apr 24, 2019 07:42 PM
    Hello,

    I am struggling to understand the requirements for this.

    You can indeed use a static host list as an authorisation source. Once users have passed authentication you can use this list as an additional check for example, once authentication is successful you can look in the list and have a service which says “if the authentication is successful and the MAC of the device is in this list, then assign this role”

    For this to work as an authorisation source you will still require your authentication source to be an AD server for example. Once the user credentials are entered and accepted you will go onto authorisation.

    You can however use the static host list as an authentication source instead of an authorisation source and use MAC auth to check the list.

    If I have miss understood your question please let me know and I’ll try and explain better

    Thanks
    Ben