Solution depends a bit on personal preference, current workflows and used switch equipment. You probably should find out in what state the computer gets (MAC authentication with profiling role, if you followed the guide; as the computer probably won't do 802.1X yet at that point); and in that role you could allow just enough access to AD/imaging/supporting servers to build/boot/initialized the PC and join to the domain. There is also on AOS-CX an option to configure a 'failed auth' role, which can be either the same profiling role with strict controlled access to AD or a role with access to that staging VLAN.
The computer does not trigger a service, the switch will. With both 802.1X and MAC Auth configured, connecting the computer can trigger both, or one of them, but the key is to design your policies and switch config such that your clients can be joined by the IT Staff. If joining is done in a specific staging room, you could consider configuring a few ports statically to the staging VLAN specifically for that room/purpose.
Like always with ClearPass, there are many ways to do things. It may be good to discuss with your Aruba Partner, local Aruba SE or Aruba Support which are the options with your setup/equipment, and what are the pros-cons of each option to get to the best in your situation.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Jul 15, 2022 04:33 PM
From: Turki Alibrahim
Subject: Ser
Hi,
We are testing CPPM to be used in our wired network. I've been through the videos "Aruba ClearPass Workshop (2021)"by Herman Robers, there I learned how to create a service to authenticate wired computers that are joined to our domain, and allow them access if they are user or computer authenticated.
Now for new computers that needs to be configured by our IT support staff, the computer will not be joined to domain, how to give them access to a specific VLAN (isolated) that has access to our AD (to join)? how to create a proper service for this?
Also, if a computer's access is rejected by a service, will the computer try to access by a later service? or the first reject will stop processing of other services?
I've tried going though CPPM docs, but the docs show how to configure different parts, like how to create an Enforcement Policy, but does not explain each part and what it does exactly and how to configure for different situations. Please point me to any documentation that explains CPPM in this sense.
Please excuse my primitive questions.
Thanks.