Security

Reply
fm
Contributor II
Posts: 35
Registered: ‎07-10-2014

CPPM Change Guest Vlan after authentication

Hi guys,

 

I'm new to CPPM so there are somethings that I'm still learning.

 

I would like to change a specific user from the initial vlan.

 

Workflow:

 

User associates to the open Guest SSID, gets an IP and authenticates. After that, based on that user role I would like to change his VLAN.

 

At this momment I only have 1 service for Guest Authentication. I believe that to achieve this I'll have to create a mac auth service.

 

Can someone help me to achieve this?

 

Thanks

MVP
Posts: 4,266
Registered: ‎07-20-2011

Re: CPPM Change Guest Vlan after authentication

[ Edited ]

You can create the mac caching using the CPPM Guest Mac Auth Template

2014-11-25 11_24_31-ClearPass Policy Manager - Aruba Networks.png

 

Once you do that on the Guest Mac auth enforcement policy you can create a rule that if the device has a particular mac address you can send another VLAN

 

2014-11-25 11_29_44-ClearPass Policy Manager - Aruba Networks.png

 

 

 

 

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Guru Elite
Posts: 20,966
Registered: ‎03-29-2007

Re: CPPM Change Guest Vlan after authentication

There is a fundamental issue with changing a user's vlan on a captive portal.  The number one reason is that the client normally does not re-ip unless it is forcefully disconnected.  This creates client-side confusion when the user's wifi drops.  Is there a reason why a guest's vlan cannot stay on the same VLAN that we have to work around?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 4,266
Registered: ‎07-20-2011

Re: CPPM Change Guest Vlan after authentication

cjoseph is right about that...
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
fm
Contributor II
Posts: 35
Registered: ‎07-10-2014

Re: CPPM Change Guest Vlan after authentication

Well this is a requirement of a costumer.

I do agree with you that it may be unnecessary.

It is not clear to me though how can I force a guest with role XYZ to be assign into a specific vlan after the authentication.

I wouldn't like to do that based on the MAC address but on the user role.

Thank you guys!
Contributor II
Posts: 38
Registered: ‎11-24-2014

Re: CPPM Change Guest Vlan after authentication

send a COA. 

Guru Elite
Posts: 8,447
Registered: ‎09-08-2010

Re: CPPM Change Guest Vlan after authentication

You should inform the customer that there will be inconsistent client behavior.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
fm
Contributor II
Posts: 35
Registered: ‎07-10-2014

Re: CPPM Change Guest Vlan after authentication

[ Edited ]

I understand that. 

 

I would like to test it anyway... just for learning purporses...

 

Can anyone point me some example for this?

 

Thanks a lot for your time and pacience

 

MVP
Posts: 4,266
Registered: ‎07-20-2011

Re: CPPM Change Guest Vlan after authentication

[ Edited ]

Try the following :

 

1- Using the ClearPass templates create a Guest Mac Auth 

2- Then create an enforcement profile and use the Aruba attribute Aruba-user-VLAN then add the VLAN you want that user to get 

3- Create another enforcement profile and use the Aruba attribute Aruba-user-role then add the Role you have created on the controller that points the user to the guest captive portal registration page

 

Then do the following:

2014-11-25 20_54_22-ClearPass Policy Manager - Aruba Networks.png

2014-11-25 20_54_11-ClearPass Policy Manager - Aruba Networks.png

2014-11-25 20_53_48-ClearPass Policy Manager - Aruba Networks.png

 

Using this logic the device doesn't have to change VLANs instead it stays using the same VLAN at the Captive Portal Stage and after it completes registration

 

Note: I haven't tested this out so this may or may not work.

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
fm
Contributor II
Posts: 35
Registered: ‎07-10-2014

Re: CPPM Change Guest Vlan after authentication

Thank you for your guidence.

 

Solved! :)

Search Airheads
Showing results for 
Search instead for 
Did you mean: