Security

last person joined: 21 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Use 1 SSID for different types of authentication

This thread has been viewed 6 times

  • 1.  Use 1 SSID for different types of authentication

    Posted Oct 31, 2019 11:13 AM

    I was wondering if it is possible in Clearpass to work with 1 SSID for Wireless, and follow some steps in Authentication, like first check if 802.11X works, then check if MAC is authenticated and as last resort offer a guest portal for registration if it is an unknown device.

    Is this possible, or would you advise to work with 2 SSID. Thanks in advance!



  • 2.  RE: Use 1 SSID for different types of authentication

    Posted Oct 31, 2019 11:39 AM

    Its possible but what is the need to do this? 

     

    But mac authentication would be done first and then 802.1x for the layer 2 aspect.

     

    And the captive portal would be the layer 3 aspect of the authentication.

     

    Again this is not recommended.

     

     



  • 3.  RE: Use 1 SSID for different types of authentication

    Posted Oct 31, 2019 11:43 AM

    Thanks for your reply!

    We're testing the possibilites with Clearpass to eventually implement in an existing network, and thought that it would be useful to have 1 Wireless SSID instead of 3 now. 

    Is there a specific reason why you wouldn't recommend this method? 



  • 4.  RE: Use 1 SSID for different types of authentication

    Posted Oct 31, 2019 12:43 PM

    Let me explain,

     

    Mac Auth - Authenticates the device with its mac

     

    802.1x - Authenticates the wireless client (A client who has not received an IP Address yet)

     

    Mac auth and 802.1x are Layer 2 authentication methods.

     

    Captive portal - Authenticates the wireless user ( A client who has received an IP Address) - Layer 3 Authentication

     

    A combination of Layer 3 and one layer 2 method is ideal and secure. Having more than that is not needed hence not recommended.

     

    It just increases the time for a client to get inteded network access if the combination of all the three is used.

     

     



  • 5.  RE: Use 1 SSID for different types of authentication

    EMPLOYEE
    Posted Oct 31, 2019 04:26 PM

    Just to make one thing clear. you can combine those authentication methods in one SSID but the client needs to pass all of them. If for example, the dot1x authentication fails the user will not be able to get to the captive portal. 



  • 6.  RE: Use 1 SSID for different types of authentication

    Posted Nov 01, 2019 04:43 AM

    I always advise to work with a 2 or 3 SSID network. Choose the SSID's based on the authentcation method, not based on the purpose of the SSID.

     

    So 1 for each:

    - 802.1X for employees

    - PSK icm MAC-auth for devices

    - Open SSD for guest (optional), or they can use the PSK network, the unknown devices will receive a captive portal to register/login, and the known devices are given a role on the network based on mac-auth in clearpass.



  • 7.  RE: Use 1 SSID for different types of authentication

    EMPLOYEE
    Posted Nov 01, 2019 10:35 AM
    @Fabian Klaring wrote:

    I always advise to work with a 2 or 3 SSID network. Choose the SSID's based on the authentcation method, not based on the purpose of the SSID.

     

    So 1 for each:

    - 802.1X for employees

    - PSK icm MAC-auth for devices

    - Open SSD for guest (optional), or they can use the PSK network, the unknown devices will receive a captive portal to register/login, and the known devices are given a role on the network based on mac-auth in clearpass.

    This is the recommendation and I always do it that way. Separate the SSID's based on the authentication method and separate users by roles.