Wired Intelligent Edge

We are about to roll out Aruba switches to replace some old HP switches.  I'm hoping we can allow people to plug it and attempt to use .1x authentication and if that fails use a captive portal to connect to the guest network.  Is this possible with ClearPass, controller and switch deployment?

 

Thanks!

Hi Jaker,

The short answer is yes it is. The way I would configure it is that the AAA Profile is configured with MAC-Auth and Dot1x and an initial role of denyall. The denyall user role will prevent the client from getting an IP address until it passes authentication which is useful to ensure that even if you switch VLANs on the client based upon authentication, it doesn't have the IP from the initial role VLAN even after you changed VLANs. You would then write a rule on ClearPass that if the MAC is unknown then send it to a user-role on the MAS that is configured with a Captive Portal.

 

Best regards,

 

Madani

As it is stated in the previous comment it is possible. I just want to note that you can also do this without using clearpass.

Good point zshusveti! We added native captive portal support to the MAS in AOS 7.2.

Thanks for the direction on how to work on this.  I'm new to ClearPass and the switches so I'm going to work on it over the new few weeks.   I might be back if I run into issues.