At the moment our general users have an ACL policy that blocks client <-> client traffic . If a user registers an "airgroup aware" device in clearpass guest then both the device and any dot1x authenticated device are assigned an "airgroup_devices" role. In addition to the normal ACL set this role has some userrole <-> userrole entries that allows port based client to client communication.
When used in conjunction with the airgroup functionality of the controller a user can 'cast from our eduroam network onto our psk device network while other users have the standard ACLs applied and it all works ......except .....
.. what you've got are multiple users /devices all using the same "airgroup_devices" role so they've all got those ports open to everyone.
What would be nice is if we could restrict traffic so that any devices that log onto a wpa2/3 network using a particular userid could have an acl set applied to all devices authenticated by that userid or clearpass guest devices that have the same sponsored name. Effectively they've got their own private vlan for their own devices... and no one else can see them.
I'm sort of thinking either of an extension to the Arubaos8 userrole where you can define an ACL template and then when a userid logs on a dynamic role gets created e.g. alexs-123 that uses the template.
The userrole command could then be expanded to only work for clients using the dynamic role.
or possibly some sort of Q-in-Q setup where each users gets their own vlan within a vlan ..
Unless anyone else can suggest another way to really restrict traffic based upon authentication credentials.
Rgds
Alex