cancel
Showing results for 
Search instead for 
Did you mean: 

ClearPass -> WING SSID assignment

ClearPass -> WING SSID assignment

Stefan_Jacoby
New Contributor
Hello,

i am working to authenticate the WiFi against ClearPass.
Currently i have an "Office" SSID and a "Special" SSID with restricted access. The restricted access is done via the WING IP Firewall (IPv4 ACL).
My plan with ClearPass is that all devices will use the "Office" SSID. The question is how to limit the devices which currently have only access to the "Special" SSID? They should be possible to reach the "Special" SSID via the "Office" SSID.
I am not sure if i have to work with Attribute Number. For instance the Attribut Number 2 ?

I am using WING 5.9.4.1 with AP7532.

Each hint is appreciated.

Regards,
Stefan
1 ACCEPTED SOLUTION

ckelly
Extreme Employee

Stefan, it sounds like maybe something that would work for you is role-based firewalling, using one of WiNG's VSAs (specifically, the WING-User-Group attribute).

With this WiNG VSA, you can add the attribute and desired values to Clearpass and assign to users, and the value is passed back to the WiNG controller or AP within the RADIUS access-accept message. WiNG will then look at the value and place the user into that WiNG user-group name. The user group defines all the ways that you want to treat/restrict users belonging to that group.....including applying an IP ACL.

So on the WiNG side, you would need to create a Wireless Client Role, which contains the 'group' value that will be looked for in the access-accept message. The Client Role configuration also allows you to assign firewall rules that you want to apply to users that will fall into this role/group, based on the value contained in the access-accept attribute.

Role Based Firewall Guide
The guide for the Role Based Firewall setup is what also need to help walk you through creating the user group. Since you already have an IP ACL created for the Special SSID, you should be able to simply indicate that this same ACL should be used for users that will belong to this user group. The guide does NOT though contain how to create and setup a VSA for Clearpass. It does contain an example for Windows Server. It does contain an example of how to setup things on the WiNG side for this user-group restriction method.

Below is what you need to define on Clearpass in case you already know how to setup a VSA.

b3dea83276114de2b6e44f174e9989e1_2894b3ea-d41f-481c-a14a-636c5e7cdcda.jpg

View solution in original post

7 REPLIES 7

RobertZ
Extreme Employee
I believe that Stefan is refereeing to RADIUS server (which is the authentication server/ClearPass Policy Manager server).

ClearPass is an Aruba network naming convention for Radius Server.

ckelly
Extreme Employee
Stefan, I think I understand your question up until you say,
"They should be possible to reach the "Special" SSID via the "Office" SSID."

To be clear, it sounds like what you are wanting to accomplish is to get rid of the Special SSID and have everyone use just the single Office SSID - but then you need a way to continue to restrict access to the network in some way for certain users that previously used the Special SSID. Is this correct?
GTM-P2G8KFN