Thank you Nafith, it is really helpfull I have a question please : i wan't basiczally the same thing but i don't have onboard licence, is there any way to do something like that ? So to give you the context : I want use same SSID captive portal for employee and byod(or guest), but i dont want give full access to the guest or the byod is there any way to do it ? let's say just give them an intetnet access and that's it. for exemple i dont want them to have access to the employee machine (ping for exemple) is this doable by role or policy or something else ? I tried to create in advance an account for every employee with employee role, and they will connect with it and for the byod they will use request from captive portal to their host by sending a request and the sponsor they will accept and they have guest role. but i think they ahve the same access . i wanna just make sure to give guest or byod just internet access and not full or not like employee access thank you

@nafithsalama

Ай бұрын

Hi First of all many thanks for sharing your thoughts. for the BYOD to be implemented yes you need a license for that. you can try evaluation license if want to. For the different levels of Access you can have say employee one role and create your policies (FW) for the employee and guest usually get guest role which only allows them to access the internet (This might apply to the contractor as well in your case since you don't have proper OnBoard license). if you are going to use gateway to tunnel it might also be a good idea to terminate the guest tunnel on a separate gateway this gives you a more control over guest traffic If you need further clarification please let me know All the best

@amnayamnay6821

Ай бұрын

@@nafithsalama Hi Nafith, thank you very much for you reply, i really appreciate that; For the licence, i can't have one unfortunatelly, so for this reason, i was looking for a solution to do that. So you saying that the roles (employee and guest) are already different by default ? I mean if a guest get an access by guest role and an employee by employee role, they don't have already the same access ? is that correct ? if yes, what's the difference for exemple ? which kind of things the guest has a deny y default ? It's really a good idea for the tunnel and gateway, since im really new one to the clearpass, how i can technically do that ? how to terminate the guest tunnel on a separate gateway in real exemple? Thank you very much

@nafithsalama

Ай бұрын

@@amnayamnay6821 In nutshell ClearPass job (after authentication) is to assign the roles. the roles have policy(s) and each policy has rules (think of them as ACLs but they are session based in most cases) the details of the role is done on the device(s) such as APs. GWs.

@amnayamnay6821

Ай бұрын

@@nafithsalama sorry for thoses questions but i dont understand verry well. My config is like that : Aruba ap 515 (5 or 6), acting like on virtual controller and i have Clearpass Are you tryong to say that the roles needs to be set on the virtual controller and ont in the Clearpass ? If yes could you please give an exemple ?

@nafithsalama

Ай бұрын

Yes that is all done with your Access policy (FW)