i am working to authenticate the WiFi against ClearPass.
Currently i have an "Office" SSID and a "Special" SSID with restricted access. The restricted access is done via the WING IP Firewall (IPv4 ACL).
My plan with ClearPass is that all devices will use the "Office" SSID. The question is how to limit the devices which currently have only access to the "Special" SSID? They should be possible to reach the "Special" SSID via the "Office" SSID.
I am not sure if i have to work with Attribute Number. For instance the Attribut Number 2 ?
I am using WING 18.104.22.168 with AP7532.
Each hint is appreciated.
Best answer by Chris Kelly
Stefan, it sounds like maybe something that would work for you is role-based firewalling, using one of WiNG's VSAs (specifically, the WING-User-Group attribute).
With this WiNG VSA, you can add the attribute and desired values to Clearpass and assign to users, and the value is passed back to the WiNG controller or AP within the RADIUS access-accept message. WiNG will then look at the value and place the user into that WiNG user-group name. The user group defines all the ways that you want to treat/restrict users belonging to that group.....including applying an IP ACL.
So on the WiNG side, you would need to create a Wireless Client Role, which contains the 'group' value that will be looked for in the access-accept message. The Client Role configuration also allows you to assign firewall rules that you want to apply to users that will fall into this role/group, based on the value contained in the access-accept attribute.
Role Based Firewall Guide
The guide for the Role Based Firewall setup is what also need to help walk you through creating the user group. Since you already have an IP ACL created for the Special SSID, you should be able to simply indicate that this same ACL should be used for users that will belong to this user group. The guide does NOT though contain how to create and setup a VSA for Clearpass. It does contain an example for Windows Server. It does contain an example of how to setup things on the WiNG side for this user-group restriction method.
Below is what you need to define on Clearpass in case you already know how to setup a VSA.