Security

Would it be possible to have a single SSID configured to handle secure wpa2 authentication as well as open authentication to redirect guests to a captive portal?

No, what you can have is a 802.1X that could redirect user to a captive portal but this will fm happen after the username/password has been provided.

PEAP-Public is an option.

 

Instead of a PSK, the user would enter the key as both the username and password. You could then direct them to a captive portal to register.

 

It's not open, but is a public access method with enables their traffic to be encrypted.

 

Otherwise you will need to use two SSIDs.

 

 

Thank you for the responses!  I did want to further expand on what we are trying to accomplish as my first post was rather rushed.  Essentially, we want users to connect to a single SSID and use ClearPass as the decision maker as to whether or not they will utilize EAP-TLS (with certificates) or be sent to a captive portal if they do not to register as a guest user (or login with AD credentials).

 

From what I have seen, I believe we would still need multiple SSID's, but I wanted to confirm that is the case.

Yes, EAP authentication would need to happen before ClearPass can make a decision. Sounds like two SSIDs will be necessary for your environments.