cancel
Showing results for 
Search instead for 
Did you mean: 

ClearPass -> WING SSID assignment

ClearPass -> WING SSID assignment

Stefan_Jacoby
New Contributor
Hello,

i am working to authenticate the WiFi against ClearPass.
Currently i have an "Office" SSID and a "Special" SSID with restricted access. The restricted access is done via the WING IP Firewall (IPv4 ACL).
My plan with ClearPass is that all devices will use the "Office" SSID. The question is how to limit the devices which currently have only access to the "Special" SSID? They should be possible to reach the "Special" SSID via the "Office" SSID.
I am not sure if i have to work with Attribute Number. For instance the Attribut Number 2 ?

I am using WING 5.9.4.1 with AP7532.

Each hint is appreciated.

Regards,
Stefan
1 ACCEPTED SOLUTION

ckelly
Extreme Employee

Stefan, it sounds like maybe something that would work for you is role-based firewalling, using one of WiNG's VSAs (specifically, the WING-User-Group attribute).

With this WiNG VSA, you can add the attribute and desired values to Clearpass and assign to users, and the value is passed back to the WiNG controller or AP within the RADIUS access-accept message. WiNG will then look at the value and place the user into that WiNG user-group name. The user group defines all the ways that you want to treat/restrict users belonging to that group.....including applying an IP ACL.

So on the WiNG side, you would need to create a Wireless Client Role, which contains the 'group' value that will be looked for in the access-accept message. The Client Role configuration also allows you to assign firewall rules that you want to apply to users that will fall into this role/group, based on the value contained in the access-accept attribute.

Role Based Firewall Guide
The guide for the Role Based Firewall setup is what also need to help walk you through creating the user group. Since you already have an IP ACL created for the Special SSID, you should be able to simply indicate that this same ACL should be used for users that will belong to this user group. The guide does NOT though contain how to create and setup a VSA for Clearpass. It does contain an example for Windows Server. It does contain an example of how to setup things on the WiNG side for this user-group restriction method.

Below is what you need to define on Clearpass in case you already know how to setup a VSA.

b3dea83276114de2b6e44f174e9989e1_2894b3ea-d41f-481c-a14a-636c5e7cdcda.jpg

View solution in original post

7 REPLIES 7

Stefan_Jacoby
New Contributor

Hello Chris,

it is working. Thanks again for your hints.


Regards,

Stefan

Stefan_Jacoby
New Contributor

Hi Chris,

Thank you.

Looks promising. I think this was the hint which I've been looking for. Will test it within this week and let you know.

 

Regards,

Stefan

ckelly
Extreme Employee

Stefan, it sounds like maybe something that would work for you is role-based firewalling, using one of WiNG's VSAs (specifically, the WING-User-Group attribute).

With this WiNG VSA, you can add the attribute and desired values to Clearpass and assign to users, and the value is passed back to the WiNG controller or AP within the RADIUS access-accept message. WiNG will then look at the value and place the user into that WiNG user-group name. The user group defines all the ways that you want to treat/restrict users belonging to that group.....including applying an IP ACL.

So on the WiNG side, you would need to create a Wireless Client Role, which contains the 'group' value that will be looked for in the access-accept message. The Client Role configuration also allows you to assign firewall rules that you want to apply to users that will fall into this role/group, based on the value contained in the access-accept attribute.

Role Based Firewall Guide
The guide for the Role Based Firewall setup is what also need to help walk you through creating the user group. Since you already have an IP ACL created for the Special SSID, you should be able to simply indicate that this same ACL should be used for users that will belong to this user group. The guide does NOT though contain how to create and setup a VSA for Clearpass. It does contain an example for Windows Server. It does contain an example of how to setup things on the WiNG side for this user-group restriction method.

Below is what you need to define on Clearpass in case you already know how to setup a VSA.

b3dea83276114de2b6e44f174e9989e1_2894b3ea-d41f-481c-a14a-636c5e7cdcda.jpg

Stefan_Jacoby
New Contributor
Hello Chris,

yes, you are right. restrict access for certain devices not users.

Hello Robert,
thank you. I am aware of the provided documents.
I think i need help which attribute i should use and if it is possible what i would like to do.

Regards,
Stefan
GTM-P2G8KFN