Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

CPPM Change Guest Vlan after authentication

This thread has been viewed 7 times

  • 1.  CPPM Change Guest Vlan after authentication

    Posted Nov 25, 2014 11:17 AM

    Hi guys,

     

    I'm new to CPPM so there are somethings that I'm still learning.

     

    I would like to change a specific user from the initial vlan.

     

    Workflow:

     

    User associates to the open Guest SSID, gets an IP and authenticates. After that, based on that user role I would like to change his VLAN.

     

    At this momment I only have 1 service for Guest Authentication. I believe that to achieve this I'll have to create a mac auth service.

     

    Can someone help me to achieve this?

     

    Thanks



  • 2.  RE: CPPM Change Guest Vlan after authentication

    Posted Nov 25, 2014 11:30 AM

    You can create the mac caching using the CPPM Guest Mac Auth Template

    2014-11-25 11_24_31-ClearPass Policy Manager - Aruba Networks.png

     

    Once you do that on the Guest Mac auth enforcement policy you can create a rule that if the device has a particular mac address you can send another VLAN

     

    2014-11-25 11_29_44-ClearPass Policy Manager - Aruba Networks.png

     

     

     

     



  • 3.  RE: CPPM Change Guest Vlan after authentication

    EMPLOYEE
    Posted Nov 25, 2014 11:32 AM

    There is a fundamental issue with changing a user's vlan on a captive portal.  The number one reason is that the client normally does not re-ip unless it is forcefully disconnected.  This creates client-side confusion when the user's wifi drops.  Is there a reason why a guest's vlan cannot stay on the same VLAN that we have to work around?

     



  • 4.  RE: CPPM Change Guest Vlan after authentication

    Posted Nov 25, 2014 01:04 PM
    cjoseph is right about that...


  • 5.  RE: CPPM Change Guest Vlan after authentication

    Posted Nov 25, 2014 05:23 PM
    Well this is a requirement of a costumer.

    I do agree with you that it may be unnecessary.

    It is not clear to me though how can I force a guest with role XYZ to be assign into a specific vlan after the authentication.

    I wouldn't like to do that based on the MAC address but on the user role.

    Thank you guys!


  • 6.  RE: CPPM Change Guest Vlan after authentication

    Posted Nov 25, 2014 06:46 PM

    send a COA. 



  • 7.  RE: CPPM Change Guest Vlan after authentication

    EMPLOYEE
    Posted Nov 25, 2014 06:51 PM
    You should inform the customer that there will be inconsistent client behavior.


  • 8.  RE: CPPM Change Guest Vlan after authentication

    Posted Nov 25, 2014 07:34 PM

    I understand that. 

     

    I would like to test it anyway... just for learning purporses...

     

    Can anyone point me some example for this?

     

    Thanks a lot for your time and pacience

     



  • 9.  RE: CPPM Change Guest Vlan after authentication
    Best Answer

    Posted Nov 25, 2014 08:57 PM

    Try the following :

     

    1- Using the ClearPass templates create a Guest Mac Auth 

    2- Then create an enforcement profile and use the Aruba attribute Aruba-user-VLAN then add the VLAN you want that user to get 

    3- Create another enforcement profile and use the Aruba attribute Aruba-user-role then add the Role you have created on the controller that points the user to the guest captive portal registration page

     

    Then do the following:

    2014-11-25 20_54_22-ClearPass Policy Manager - Aruba Networks.png

    2014-11-25 20_54_11-ClearPass Policy Manager - Aruba Networks.png

    2014-11-25 20_53_48-ClearPass Policy Manager - Aruba Networks.png

     

    Using this logic the device doesn't have to change VLANs instead it stays using the same VLAN at the Captive Portal Stage and after it completes registration

     

    Note: I haven't tested this out so this may or may not work.



  • 10.  RE: CPPM Change Guest Vlan after authentication

    Posted Nov 26, 2014 01:56 PM

    Thank you for your guidence.

     

    Solved! :)