Wired Intelligent Edge (Campus Switching and Routing)

Frequent Contributor I

Wired Authentication

We are about to roll out Aruba switches to replace some old HP switches.  I'm hoping we can allow people to plug it and attempt to use .1x authentication and if that fails use a captive portal to connect to the guest network.  Is this possible with ClearPass, controller and switch deployment?




Re: Wired Authentication

Hi Jaker,

The short answer is yes it is. The way I would configure it is that the AAA Profile is configured with MAC-Auth and Dot1x and an initial role of denyall. The denyall user role will prevent the client from getting an IP address until it passes authentication which is useful to ensure that even if you switch VLANs on the client based upon authentication, it doesn't have the IP from the initial role VLAN even after you changed VLANs. You would then write a rule on ClearPass that if the MAC is unknown then send it to a user-role on the MAS that is configured with a Captive Portal.


Best regards,



Frequent Contributor II

Re: Wired Authentication

As it is stated in the previous comment it is possible. I just want to note that you can also do this without using clearpass.

Re: Wired Authentication

Good point zshusveti! We added native captive portal support to the MAS in AOS 7.2.

Frequent Contributor I

Re: Wired Authentication

Thanks for the direction on how to work on this.  I'm new to ClearPass and the switches so I'm going to work on it over the new few weeks.   I might be back if I run into issues. 



Search Airheads
Showing results for 
Search instead for 
Did you mean: