Security

Our guest network is currently configured as an open SSID with a captive portal.  If a user is within range, they device tries to connect to the SSID.  So in Clearpass Access Tracker, it shows several guest devices showing repeat rejections every few seconds and they continue until they open the captive portal and authenticate.  The reason this setup was created initially was for ease of management.  We have two different guest SSIDs hitting a single service in Clearpass.  If you're an employee, you can login with your AD creds.  If you're a guest, we have a temp guest login that expires after 24 hours and we change the password for monthly within Clearpass.

 

I am wondering if there's a better way to lock down the guest account to keep the several transactions from generating within Access Tracker and creating an unneccessary load on the server without adding the extra management.

If you are doing captive portal auth with MAC-caching, there is no way to avoid the initial rejects for unknown users. 


Thanks, 
Tim

The initial rejects I understand.  I am more focused on the repeat rejects.  Each device keeps retrying every few seconds.  If it tries once and stops, then I would be pleased.

Does the device get the captive portal immediately after associating? 


Thanks, 
Tim

As soon as they manually open a browser.  Some users don't actually connect to the SSID, they just have their devices within the range such as their smartphone or tablet.  They may not be using it, but it's still trying to authenticate to the open SSID.