Security

Hi All,

I'm new to AirHeads, but have had extensive experience implementing Aruba about a decade ago. :) I'm about to advise on an implementation where we have three different use cases using ClearPass for guest access, and I'd like to do it on a single SSID. Let's just say the SSID is "Guest" and I want to be able to authenticate contractors who need access to the corporate Internet connection with no bandwidth restrictions and no timeout on their credentials and session (i.e. don't need to reauthenticate every day through a captive portal). The second use case is employees using personal devices that we want to push to a cheap and cheerful best effort broadband connection. We would want to apply policy to restrict bandwidth for the employees with personal devices. Both of these use cases could use PEAP to authenticate against AD credentials. The last use case is true guests/visitors that we would use a captive portal to authenticate using phone number with SMS/text for password or social login. This group would have 12 hours of access before they have to reauthenticate, would have pretty strict bandwidth throttling, and would use the best effort broadband connection.

 

I assume this is do-able with ClearPass, but we would have done it with different SSIDs in the old days. I have the ClearPass User Manual, but I'm not super eager to sift through all 587 pages to find what I'm looking for. Any advice or a nudge in the right direction would be greatly appreciated.

 

Thanks,

Mark

You could do this with a single SSID .

One quick question: Are you providing Contractors an account ahead of time either a Guest Account (Contractor TIPs Role) or using AD ? 

 

In the same Captive portal you could do the following:

- Guest Registration 

- A link to allow Employees to authenticate using AD credentials and based on that you can send a user-role/VLAN to the controller

- Use the same link for Employees to authenticate Contractors against AD or local database and then send a user-role/VLAN to the controller

 

You can use the Guest Mac Auth service template to create this

 

Thanks, Victor! Awesome answer - kind of what I expected, but didn't know what the implementation looked like. We would give long-term contractors an AD account, so they could use that. We could dump them into a role, assign them to a VLAN, and apply PEF rules to restrict to, say, ports 80 and 443 restricted to the IP of the firewall to keep them off the internal LAN, right?

 

Thanks again,

Mark

Correct.

Keep in mind that if you use just one SSID  all your traffic will unencrypted(Employess,Contractors)  except for HTTPS traffic 

 

Okay, I should have asked about that. So if I wanted to use PEAP for the contractors and employee personal devices, I can't do that on the same SSID as the true guest/captive portal SSID. Sorry to keep bugging you, Victor, and thanks again for the quick replies, but if I put the contractors and employees on a separate SSID that uses PEAP, I probably don't really need CPPM to drop them into roles and apply policies, do I? We would still use it for guests, but since we can do PEAP for those users because they have AD credentials, we might be able to save some money on CP licenses.

 

Thanks,

Mark

In that case you need a separate SSID , in terms of using or not using ClearPass I think it depends on how granular you want to get with the type of access you want to provide.

With clearPass you make decisions based on different type of context , there's more flexibility with the type access you can assign

You could also use EAP-PEAP-Public on your guest network which would be similar to a PSK but allows for dynamic, per-client encryption keys.

 

You could then use guest with sponsored registration for the contractors so you don't have to worry about creating AD accounts for them.

We're testing mobile PoS with ClearPass...using OnBoard & EAP-TLS for iPods & local user/pass on CP for wireless receipt printers on same SSID on IAP. Printer role severely restricted by PEF so weaker auth is okay for us.