Wireless Access

Frequent Contributor I

Redirect to Guest SSID upon Auth failure

Hi All


Was wondering if it will be possible to redirect a client to a different SSID on a normal Aruba Controller setup without using a Clearpass?

I want to look at achieving something similar to when a controller blacklists a client upon Auth failure, but instead of blacklisting them, I want them redirected to my Guest SSID.

Is this possible without a clearpass or similar UAC?


Re: Redirect to Guest SSID upon Auth failure

No, you can't trigger their devices to connect to a different SSID (even if you did have Clearpass) in this scenario. A reject from the Radius here will prevent the device from associating with the .1x SSIDso you can't place it in a captive portal role either.


That said - it is possible that the device itself might choose to connect to another SSID if it fails to connect to preferred one. That in turn require that the device has already been connected to the SSID before and wants to do it again "when all else fails"... Not something I would do tho - as a common routine for your users seems to be a better solution..


John Solberg

-ACMX #316 :: ACCX #902 :: ACSA
Aruba Partner Ambassador
Intelecom/NetNordic - Norway
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Frequent Contributor I

Re: Redirect to Guest SSID upon Auth failure

Hmm - ok - So no SSID redirect..


Would it then be feasible or possible to drop a user who failed Authentication into a different Vlan on the same SSID? But then the assosciation reject from Radius wil still be an issue then I guess.


So in short - if Auth Fails you can't move the client to different role, vlan or anything of the likes?

Guru Elite

Re: Redirect to Guest SSID upon Auth failure

Unfortunately you can't fail open with 802.1X. If authentication fails, that's the end of the road.

Sent from Nine

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
Showing results for 
Search instead for 
Did you mean: