Security

last person joined: 23 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Changing VLANs with different profiles

This thread has been viewed 2 times

  • 1.  Changing VLANs with different profiles

    Posted Jul 09, 2014 09:15 AM

    Hi:

    I'm trying to setup a shared wireless computer that can be used on different VLANs.

    Machine auth works properly, and the machine is pingable on vlan 1 with nobody logged in. This is a good thing, since vlan 1 allows it to reach domain controllers and such.

     

    User A (with a profile that says to use vlan 1) logs in, and all is well.

    User A logs out, and the machine is still pingable on vlan 1.

    User B (with a profile that says to use vlan 2) logs in and the machine is on vlan 2.

     

    Now, when user B logs out, I see the machine auth show up in CPPM as successful, but from what I can tell, the machine does not return to vlan 1.

    It's only when user A logs in again that machine returns to vlan 1. As before, when user A logs out, the machine stays on vlan 1.

     

    Is there any way for the machine auth to force the machine back to vlan 1, after user B logs out?

     

    Thanks,

    Tony

     

     

     



  • 2.  RE: Changing VLANs with different profiles

    EMPLOYEE
    Posted Jul 09, 2014 09:18 AM
    Under the advanced options of the client's 802.1X configuration there is an option called "This network uses different VLAN for authentication with machine and user credentials".

    Check that either locally or configure the 802.1X settings through group policy.


    >From Microsoft:

    "Specifies that wireless computers are placed on one virtual local area network (VLAN) at startup, and then - based on user permissions - transitions to a different VLAN network after the user logs on to the computer.
    This setting is used in scenarios where it is desirable to separate traffic by using VLANs. For example, one VLAN, "VLAN-a," allows access only to authenticated computers, typically with a restricted set of assets. A second VLAN, "VLAN-b," provides authenticated and authorized users with access to a broader set of assets, such as e-mail, build servers, or the intranet.
    Default = Not enabled"


  • 3.  RE: Changing VLANs with different profiles

    Posted Jul 09, 2014 12:37 PM

    Thanks for this info. I will give it a try.



  • 4.  RE: Changing VLANs with different profiles

    Posted Jul 10, 2014 05:01 PM

    I tried this, but it didn't seem to work.

    The computer didn't return to the initial VLAN after user logout.

     

     

     



  • 5.  RE: Changing VLANs with different profiles

    EMPLOYEE
    Posted Jul 10, 2014 06:08 PM

    Are you returning an Aruba VLAN VSA from ClearPass, when the device authenticates as a machine?  If not, and the machine's role does not have a VLAN hardcoded, it will not change VLANs, but maintain the one it has..  When the user who is forced into VLAN 1 logs out, the VLAN is not changed....



  • 6.  RE: Changing VLANs with different profiles

    Posted Jul 10, 2014 06:35 PM

    Hi Colin:

    Thanks for the reply.

    Yes, Clearpass is assigning a VLAN for the machine auth role. I see the machine auth show up successfully, and it says it has assigned the new vlan, but the machine doesn't appear on that vlan.

     

    Thanks,

    Tony

     



  • 7.  RE: Changing VLANs with different profiles

    EMPLOYEE
    Posted Jul 10, 2014 06:41 PM

    If you type "show user-table verbose" on the controller, it will tell you in parentheses, what VLAN the computer is on.  

     

     



  • 8.  RE: Changing VLANs with different profiles

    EMPLOYEE
    Posted Jul 10, 2014 06:44 PM
    Also, please turn up user debugging so we can see the process.

    logging level debug user-debug

    show log user-debug all | include