Occasional Contributor II

Wired Guest Access

Hello everyone !



A custumer wants that users do 802.1X authentication on the wired access with clearpass.


If the 802.1X authrentication doesn't work ( for a guest user for example), then the user is redirected to the ClearPass captive portal.


Can someone please explain to me how can I do that ? 


Thank's all for your help !





Guru Elite

Re: Wired Guest Access

Did you look at the ClearPass Solution Guide for Wired Policy Enforcement?

Tim Cappalli | Aruba Security
@timcappalli | | ACMX #367 / ACCX #480
Occasional Contributor II

Re: Wired Guest Access

Hello !


Thank you very much for your reply.


I read some parts of it. I found how to do 802.1X with wired access. i found how to do captive portal with the wired access.

But I don't know how the fallback mechanism works : if 802.1X doesn't success, so we perform web auth...

Guru Elite

Re: Wired Guest Access

It’s all on the switch side.

Tim Cappalli | Aruba Security
@timcappalli | | ACMX #367 / ACCX #480

Re: Wired Guest Access

What kind of switches do you use?


For Cisco you can do something like this:

interface GigabitEthernet1/0/35
 switchport access vlan 100
 switchport mode access
 authentication host-mode multi-domain
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication timer reauthenticate server
 dot1x pae authenticator
 dot1x timeout tx-period 10
 dot1x timeout supp-timeout 15
 dot1x max-reauth-req 1
 spanning-tree portfast

MAB is the key there - as it's mac address bypass - which in essence is mac-auth.. So on failed dot1x it will do mab, and here you will return the attributes from Clearpass which triggers the redirect-acl. Once redirected and authenticated, you use Radius CoA to change the ACL for the client.

John Solberg

-ACMX #316 :: ACCX #902 :: ACSA
Aruba Partner Ambassador
Intelecom/NetNordic - Norway
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Contributor I

Re: Wired Guest Access

If you use aruba switches you can send an enforcement profile on authentication failure with the captive portal URL (based on HPE VSA's):


HPE-Captive-Portal-URL (24)


Be sure to enable captive portal in the switch.


Also a couple of downloadable ACL's are required to block all traffic except dns, dhcp and 80/443 to clearpass.

Aruba ACCX #748, ACDX #758, ACMP, ACEAP | HPE Master ASE
Occasional Contributor II

Re: Wired Guest Access

Thank you all for your answer !


The custumer have Extreme switches. I looked for documentation but I didn't find anything yet.

Guru Elite

Re: Wired Guest Access

If only there was a doc that covered this step by step ;)

Tim Cappalli | Aruba Security
@timcappalli | | ACMX #367 / ACCX #480
Search Airheads
Showing results for 
Search instead for 
Did you mean: