Occasional Contributor I

User authorization in different SSID

Hi all. Is it possible to make user can authenticate in one SSID and deny to authorize him in other SSID?


I have aruba clearpass with 2 login portals for different SSIDs. So, if I create guest user in clearpass database - he can authorize in both SSIDs. How can I separate users by SSID in clearpass?

Contributor II

Re: User authorization in different SSID



Use the Aruba VSA (Vendor Specific Attribute) Aruba-ESSID-Name in your ClearPass Service Definition to uniquely qualify the inbound RADIUS request to a service.   


In the example below we match that the ESSID must match "CSC-Clearpass", but you can also use the CONTAINS or BEGINS_WITH operators if you have a naming construct that makes it easy to match (or use REGEX).



Contributor II

Re: User authorization in different SSID

Additionally realize that in 6.x Clearpass, the user is in the Guest Repository,    You can use the Guest Repository for one service (under the Authentication Sources for that service) and other Authentication sources for other Services (like A/D via LDAP for your corporate/non-guest network).


Occasional Contributor I

Re: User authorization in different SSID

Thanks, but it's not working. Attribute Aruba-essid-name should be attached to the user (not to the service). When somebody connect to the network aruba controller send attribute to the radius server with ssid name which user connected. I mean if user1 connect to the network SSID1 - controller will send Aruba-essid-name=SSID1, if the same user will connect to the SSID2 - controller will send Aruba-essid-name=SSID2. But user1 will authorize in both networks cause ClearPass have shared user database.


Is it possibe to separate guest users by SSID attribute in this database? I.e. if guest user USER1 have attribute SSID1 - he will authorize in SSID1 only and not in SSID2. Or can I create different databases in ClearPass for user authentication and authorization?

Re: User authorization in different SSID


You can probably create two services each matching SSID1 and SSID2 and let's say you want to use Endpoint repository database you could state that if the device is KNOWN then to deny access for the particular SSID that you don't want the user to use.


This one of the ways to could accomplish that


ClearPass Policy Manager - Aruba Networks_2013-07-09_07-29-02.png

Thank you

Victor Fabian
Lead Mobility Architect @WEI
Contributor I

Re: User authorization in different SSID

Add additional object in the Guest Operator Page.

Username: F1user1

Visitor Password: ************

Session Limit: 60

Floor: F1


Drop down box ex. Like Floor :  F1




When you create a User account. choose the respective floors to be assign

In the CPPM you will create a Wirelss Service  and add Service Type:  "Radius:IETF  of AP GROUP : 1 "( pertaining to ap located at Floor 1)


in the ROLE


GuestUser [Role ID] EQUALS 1

and GuesUser Location EQUALS F1                                  GUEST ACCESS



Tips Role Equals GUEST ACCESS       Allow Access



This is what we did on the lab and working. i cant picture out the exac configuration but this is what we did.







Contributor I

Re: User authorization in different SSID

 you can also used service type base on SSID posted by billcarjr and used the role and enforcement policy i posted. My solution is base on same SSID but AP is in different location.

Contributor II

Re: User authorization in different SSID

You could also use roles in the Local User or Guest Repository to assign internal CPPM roles such as Guest-SSID1, Guest-SSID2 and/or Guest-BothSSIDs.


Then in the enforcement profile allow access for the Tips:Role=(some role) that matches the ESSID(s) and deny access for the others...

Search Airheads
Showing results for 
Search instead for 
Did you mean: