Wireless Access

Wanted to run what the tech engineer told me this morning on this case to be sure it was correct because it seems like a very complicated way to do something simple:

 

• Student authenticates to SSID using 802.1X
• Redirected to ClearPass Captive Portal page where they log in again to register device.  MAC auto-prefills so they give device name and save.  They can also add non-802.1X devices while they are here.  We have created a BYOD SSID that allows internet access to these after they have been registered.
• We need to add a hyperlink to the portal page to redirect them to log in again in order to gain internet access.

 

The reasoning behind this seems to be the ability for ClearPass to swap the user from a pre-authorized to a post-authorized status…? 

 

The ideal situation is student connects to SSID using 802.1X – redirects to portal.  Names device and saves and then is able to surf net.  One log in (SSID) maybe 2(portal)

 

Am I missing something?

beside the registering the device via the captive portal page , do you have
another reason for presenting the page ?

Why are you redirecting them to a registration portal when you already have their user identity?

We only allow students to have 5 devices online. The portal allows them to add and delete items as needed. With the issues we are re-thinking the device limitation

David A. Mattox
Manager of Systems Operations
Millsaps College
Direct (601) 974-1149
@MillsapsITS

You can allow students to manage their headless devices ( chromecast, roku, etc..) using the guest device repository and limit the registration in there.

For 802.1X capable devices those will be automatically added to the endpoint DB and if you want to get fancy you can add a custom attribute in the endpoint DB when a successful authentication happens.

It is doable to present the captive portal after a successful 802.1X Auth but the user experience will be horrible (double Auth )
Pardon typos sent from Mobile

Agree - the testing is a pain in the a$$.

So allow students to register as many 802.1X devices and no portal. If non-802 then they would go to guest portal, login using credentials and add device via MAC. The they would join that BYOD SSID and gain internet access?

David A. Mattox
Manager of Systems Operations
Millsaps College
Direct (601) 974-1149
@MillsapsITS

The students with an 802.1X capable device should connect to the 802.1X SSID (eduroam Or student SSID ) and the registered headless devices can connect to an open SSID with Mac Auth enable using the Guest Device Repository as the Authentication/Authorization DB


Are you working with an Aruba Partner to guide you with the design and implementation ?


Pardon typos sent from Mobile

Thanks! Same thing I was thinking. No working with Aruba Tech

David A. Mattox
System Administrator
Millsaps College
Direct 601.974.1149

No. We limit students to 5 devices online right now. This portal allows them to register and manager devices.

David A. Mattox
Manager of Systems Operations
Millsaps College
Direct (601) 974-1149
@MillsapsITS