Security

Hi all. Is it possible to make user can authenticate in one SSID and deny to authorize him in other SSID?

I have aruba clearpass with 2 login portals for different SSIDs. So, if I create guest user in clearpass database - he can authorize in both SSIDs. How can I separate users by SSID in clearpass?

Absolutely,

Use the Aruba VSA (Vendor Specific Attribute) Aruba-ESSID-Name in your ClearPass Service Definition to uniquely qualify the inbound RADIUS request to a service.   

In the example below we match that the ESSID must match "CSC-Clearpass", but you can also use the CONTAINS or BEGINS_WITH operators if you have a naming construct that makes it easy to match (or use REGEX).

Additionally realize that in 6.x Clearpass, the user is in the Guest Repository,    You can use the Guest Repository for one service (under the Authentication Sources for that service) and other Authentication sources for other Services (like A/D via LDAP for your corporate/non-guest network).

Thanks, but it's not working. Attribute Aruba-essid-name should be attached to the user (not to the service). When somebody connect to the network aruba controller send attribute to the radius server with ssid name which user connected. I mean if user1 connect to the network SSID1 - controller will send Aruba-essid-name=SSID1, if the same user will connect to the SSID2 - controller will send Aruba-essid-name=SSID2. But user1 will authorize in both networks cause ClearPass have shared user database.

Is it possibe to separate guest users by SSID attribute in this database? I.e. if guest user USER1 have attribute SSID1 - he will authorize in SSID1 only and not in SSID2. Or can I create different databases in ClearPass for user authentication and authorization?

You can probably create two services each matching SSID1 and SSID2 and let's say you want to use Endpoint repository database you could state that if the device is KNOWN then to deny access for the particular SSID that you don't want the user to use.

This one of the ways to could accomplish that

Add additional object in the Guest Operator Page.

Username: F1user1

Visitor Password: ************

Session Limit: 60

Floor: F1

Drop down box ex. Like Floor :  F1

                                                        F2

                                                        F3

When you create a User account. choose the respective floors to be assign

In the CPPM you will create a Wirelss Service  and add Service Type:  "Radius:IETF  of AP GROUP : 1 "( pertaining to ap located at Floor 1)

in the ROLE

GuestUser [Role ID] EQUALS 1

and GuesUser Location EQUALS F1                                  GUEST ACCESS

Enforcement

Tips Role Equals GUEST ACCESS       Allow Access

This is what we did on the lab and working. i cant picture out the exac configuration but this is what we did.

Regards,

Me

 you can also used service type base on SSID posted by billcarjr and used the role and enforcement policy i posted. My solution is base on same SSID but AP is in different location.

You could also use roles in the Local User or Guest Repository to assign internal CPPM roles such as Guest-SSID1, Guest-SSID2 and/or Guest-BothSSIDs.

Then in the enforcement profile allow access for the Tips:Role=(some role) that matches the ESSID(s) and deny access for the others...