Wireless Access

Reply
Occasional Contributor II

Students and 802.1X authenication

Wanted to run what the tech engineer told me this morning on this case to be sure it was correct because it seems like a very complicated way to do something simple:

 

  • Student authenticates to SSID using 802.1X
  • Redirected to ClearPass Captive Portal page where they log in again to register device.  MAC auto-prefills so they give device name and save.  They can also add non-802.1X devices while they are here.  We have created a BYOD SSID that allows internet access to these after they have been registered.
  • We need to add a hyperlink to the portal page to redirect them to log in again in order to gain internet access.

 

The reasoning behind this seems to be the ability for ClearPass to swap the user from a pre-authorized to a post-authorized status…? 

 

The ideal situation is student connects to SSID using 802.1X – redirects to portal.  Names device and saves and then is able to surf net.  One log in (SSID) maybe 2(portal)

 

Am I missing something?

Re: Students and 802.1X authenication

beside the registering the device via the captive portal page , do you have
another reason for presenting the page ?
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Guru Elite

Re: Students and 802.1X authenication

Why are you redirecting them to a registration portal when you already have their user identity?

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor II

Re: Students and 802.1X authenication

No. We limit students to 5 devices online right now. This portal allows them to register and manager devices.

David A. Mattox
Manager of Systems Operations
Millsaps College
Direct (601) 974-1149
@MillsapsITS
Occasional Contributor II

Re: Students and 802.1X authenication

We only allow students to have 5 devices online. The portal allows them to add and delete items as needed. With the issues we are re-thinking the device limitation

David A. Mattox
Manager of Systems Operations
Millsaps College
Direct (601) 974-1149
@MillsapsITS

Re: Students and 802.1X authenication

You can allow students to manage their headless devices ( chromecast, roku, etc..) using the guest device repository and limit the registration in there.

For 802.1X capable devices those will be automatically added to the endpoint DB and if you want to get fancy you can add a custom attribute in the endpoint DB when a successful authentication happens.

It is doable to present the captive portal after a successful 802.1X Auth but the user experience will be horrible (double Auth )
Pardon typos sent from Mobile
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor II

Re: Students and 802.1X authenication

Agree - the testing is a pain in the a$$.

So allow students to register as many 802.1X devices and no portal. If non-802 then they would go to guest portal, login using credentials and add device via MAC. The they would join that BYOD SSID and gain internet access?

David A. Mattox
Manager of Systems Operations
Millsaps College
Direct (601) 974-1149
@MillsapsITS

Re: Students and 802.1X authenication

The students with an 802.1X capable device should connect to the 802.1X SSID (eduroam Or student SSID ) and the registered headless devices can connect to an open SSID with Mac Auth enable using the Guest Device Repository as the Authentication/Authorization DB


Are you working with an Aruba Partner to guide you with the design and implementation ?


Pardon typos sent from Mobile
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor II

Re: Students and 802.1X authenication

Thanks! Same thing I was thinking. No working with Aruba Tech

David A. Mattox
System Administrator
Millsaps College
Direct 601.974.1149
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: