Security

Reply
MVP
Posts: 1,422
Registered: ‎10-25-2011

Can we return user role to perform full tunnel for a particular user?

Scenario: (controller based)

User associated to WLAN, gets a pre-auth role, passes external captive portal (not clearpass), we push down a new role to allow internet access, etc.. (called split_user).

 

VAP is configured as split_tunnel.

 

Can we from our NAC solution push down a role based on the MAC address we see, push a a user role that will make this user full tunnel? Can this done by ACLs?
 Do I need clearpass for this?

 

I guess the same would be for IAPs...if possible

Pasquale Monardo | Senior Network Solutions Consultant
ACDX #420 | ACMP
[If you found my post helpful, please give kudos!]
MVP
Posts: 145
Registered: ‎07-12-2012

Re: Can we return user role to perform full tunnel for a particular user?

aaa derivation-rules user <name of device>
set role condition macaddr equals "<mac address>" set-value <role you want to enforce> description "<name of device>"
!

 

Is this you are looking for ?

If you found my post helpful, please give kudos!
Guru Elite
Posts: 8,460
Registered: ‎09-08-2010

Re: Can we return user role to perform full tunnel for a particular user?

Does the NAC solution support RADIUS CoA? You can push a user role in a RADIUS CoA message.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP
Posts: 1,422
Registered: ‎10-25-2011

Re: Can we return user role to perform full tunnel for a particular user?

For controllers, we are using the XML-API of the controller.
For IAPs, the CoA portion didn't work when having multiple IAPs in a cluster and a workaround had to done.

So no we are not using CoA for this. The XML-API allows us to push down an "ack" and a particular role if needed.

Pasquale Monardo | Senior Network Solutions Consultant
ACDX #420 | ACMP
[If you found my post helpful, please give kudos!]
Frequent Contributor II
Posts: 114
Registered: ‎12-02-2011

Re: Can we return user role to perform full tunnel for a particular user?

The CoA should work on both the controller and IAP cluster. Can you provide more details about this? On IAP you need to configure at least the VC address and Radius proxy (along with CoA enabled in RADIUS server configuration) for CoA to work.

Search Airheads
Showing results for 
Search instead for 
Did you mean: