Wired Intelligent Edge

Hi All,

I've configured 802.1x auth on some switch ports in my lab and I'm using Clearpass as the RADIUS server using AD as the source. I've got clearpass configured to pass a role back to the switch if authentication is sucessful and that works great.

Next step is to allow guest to plug in and for them to be assigned a different role, lets say the guest role.

I don't want to do tunneled node as I don't want the potential extra overhead on my controller. I know in my lab this wont be an issue but for customers there's potential that it could be depending on certain factors.

If this possible to do?

At the moment when my "guest laptop" plugs in they fail authentication, enforment policies are ignored and they stay in the logon role on the switch.

Cheers

James

Do you want them to go through a registration process or just allow them on with a limited role?

James,

You'll want to create a MAC-Auth service that is configured to allow all MAC and in the enforcement policy, if it is an unknown MAC, pass back a role of Guest (or whatever name you chose). I'll post some screenshots of what I mean a little later today.

Best regards,

Madani

Hi,

I don't want them to register, just but placed into a particular role.

Screenshots would be perfect. :)

Just make the initial role "guest".  Upon a failed auth, they will be assigned guest.

---

@SethFiermonti wrote:

Just make the initial role "guest".  Upon a failed auth, they will be assigned guest.

---

Seth, great answer.

I've gone for configurring an allow all MAC authentication source and an enforcement policy which matches any MAC auth requests, then assign a clearpass downloadable role. It's in a lab after all...

You'll have more flexibility in the future using ClearPass instead of the initial role.

I know I like to keep my initial role as something that doesn't actually provide any IP connectivity at all, because some clients will not deal well with getting a DHCP lease, and then getting shuttled to another role assigned by a Clearpass RADIUS VSA with a different VLAN associated.  If you keep clients in the same VLAN the whole time and just your various user roles for ACL assignment, this wouldn't be a problem.

I don't know if it's the best way to do it but my initial role has an "allow-all" ACL associated, but no VLAN, which means it should derive its VLAN from the switching profile in the interface or interface-group configuration.  If no switching profile is configured it would fall back to the default switching profile with VLAN 1, which in my case is not something that will provide any IP connectivity to clients.

If the Aruba experts here think this isn't optimal please let me know.