Hello,
I have a two SSID setup.
GUEST and SECURE.
We allow our AD users to authenticate on our SECURE 802.1x network with their own personal devices using AD credentials, however we place those devices into a separate VLAN as per clearpass. We have all our corporate owned items using the SECURE ssid, but they get placed into a separate internal VLAN per clearpass.
I would like to deny inter user traffic for those users who are on the SECURE network, but not for corporate devices. I know clearpass can assign roles back to the controller, so I'm assuming that I need to create a BYOD role and apply it, but I'm struggling with how to create the firewall policies.
I'd like DNS traffic to our two dns servers to be allowed, and web traffic out, but to deny all other traffic to our internal networks.
I wish it was as easy as deny inter use traffic, but that seems to be a VAP setting and I can't do that because some of the users on our SECURE SSID are corporate users.
Thanks!