05-08-2013 03:59 PM
We are about to roll out Aruba switches to replace some old HP switches. I'm hoping we can allow people to plug it and attempt to use .1x authentication and if that fails use a captive portal to connect to the guest network. Is this possible with ClearPass, controller and switch deployment?
Solved! Go to Solution.
05-08-2013 04:06 PM
The short answer is yes it is. The way I would configure it is that the AAA Profile is configured with MAC-Auth and Dot1x and an initial role of denyall. The denyall user role will prevent the client from getting an IP address until it passes authentication which is useful to ensure that even if you switch VLANs on the client based upon authentication, it doesn't have the IP from the initial role VLAN even after you changed VLANs. You would then write a rule on ClearPass that if the MAC is unknown then send it to a user-role on the MAS that is configured with a Captive Portal.