Security

Reply
Contributor I

Self-service guest question

Hi,

 

We are looking to implement two networks using Clearpass

 

1.  Network for guests, which they access using the Self-Service capabilties of Clearpass

2.  Network for employees, who will on-board their device and connect via EAP-TLS.

 

 

Question is, is there a way to stop my corporate users accessing the self-service guest network ?

Re: Self-service guest question

You can but you will either have register the device on the corporate ssid first or use a static host list to check against to see if its a known device.
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Guru Elite

Re: Self-service guest question

You could try a role map that checks the Onboard status and returns the Deny role if the device is managed:

 

onboard-yes.PNG


| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Contributor I

Re: Self-service guest question

Ok, so once the device is enrolled, I can have that database checked each time someone tries to access the Self-Service guest network, and if that device has been enrolled, they won't be allowed to connect ?

 

 

If the above is true, can we return them a web-page to tell them to connect to the corporate SSID ?

Guru Elite

Re: Self-service guest question

Yes, but instead of a deny, create an enforcement profile that returns a
captive portal role to the controller.



Sent from my BlackBerry Z10

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Contributor I

Re: Self-service guest question

So by returning that role, would the new page automatically appear on the users device ?

Guru Elite

Re: Self-service guest question

The enforcement policy would trigger a change of authorization that would
boot the and bring them into the new role. When the user tries to access a
website, they would be redirected to a captive portal.

We do this with students who violate DMCA or AUP.

Sent from my BlackBerry Z10

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: