Security

Hi all, I have a unique scenario that i need some assistance on.  A little background first.  We run Cisco switches throughout the environment and they are running NAC using Juniper as the NAC manager.  We also provide wired and wireless guest for devices that need it.  There is a separate Juniper firewall that handles those guest services and it is being phased out.  We have Aruba controllers for wireless and i just finished installing the clearpass servers and am now using clearpass for our wireless guest solution and it works great.  

My problem is with the wired guest piece.   Since clearpass is not doing the NAC on the switchports, it makes things a little more difficult.  On top of that the guest vlan users get placed into after failing nac and mab is multiple hops away from the controllers.  My thought was if a user gets placed in the guest vlan, the traffic is tunneled back to the Aruba controllers as a wired guest and is placed in an untrusted vlan and gets captive portaled by clearpass for guest registration.  I have the policies built and it works.   

The problem i have is some devices are purposely put on this guest vlan, like some devices in our mail room.  These devices can't get captive portaled though.  so i need to somehow automatically change the user role of these devices once the hit the controller.  This is where the problem lies, I have to do it based on IP address and not MAC address. Since the controllers are multiple hops awawy, the MAC address that shows up in user table on the aruba controllers is that of the Cisco switch it is attached too.  So i never see the real MAC of the client, but i do see the IP address.  When i look in access tracker, it shows up as the Framed-IP and i have the services built on that.  

So the question is, is there a way to have roles changed based on the IP.  I need the role essentially changed before captive portal'ing would happen.  Everything i've seen and read online says it needs the MAC address, but again i can't do that. 

Maybe there is a different better way than what i'm doing.   I'm currently doing a controller initiated. I dont have a ton of experience in clearpass.  But one thing i read was to maybe try it as server initiated and maybe bypass the aruba controllers and its just a switch to clearpass connection?  

Thanks for the direction.   I found this small guide online that i was following.

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Do-we-need-to-disconnect-Aruba-VPN-user-after-health-posture/ta-p/233635

When i connect my test laptop to the guest network i still get prompted for the captive portal.  Looking at the access tracker, i see the MAC of the cisco switch, not the framed ip.

Status MessageRadius Wired-Guest Approved Guest COA failed for client 0017df8f1800

RADIUS CoA AttributesFilter-Id = wired-guest-approved

My policy is as followed:

I changed it from the Connection:Client-IP-Address to Radius:IETF:Framed-IP-Address and still doesn't work.   The access tracker shows the mac still but added the framed ip.

When i go into access tracker and try and do a change status and redo the COA i get an insufficent parameters received.  

I verify on the aruba controller that the aaa profile has the clearpass servers added on thr rfc3576 tab, as well as in the via authentication default profile. not sure if that one matter or not.