Security

Reply
Frequent Contributor II
Posts: 143
Registered: ‎07-27-2012

Changing VLANs with different profiles

Hi:

I'm trying to setup a shared wireless computer that can be used on different VLANs.

Machine auth works properly, and the machine is pingable on vlan 1 with nobody logged in. This is a good thing, since vlan 1 allows it to reach domain controllers and such.

 

User A (with a profile that says to use vlan 1) logs in, and all is well.

User A logs out, and the machine is still pingable on vlan 1.

User B (with a profile that says to use vlan 2) logs in and the machine is on vlan 2.

 

Now, when user B logs out, I see the machine auth show up in CPPM as successful, but from what I can tell, the machine does not return to vlan 1.

It's only when user A logs in again that machine returns to vlan 1. As before, when user A logs out, the machine stays on vlan 1.

 

Is there any way for the machine auth to force the machine back to vlan 1, after user B logs out?

 

Thanks,

Tony

 

 

 

Guru Elite
Posts: 8,637
Registered: ‎09-08-2010

Re: Changing VLANs with different profiles

Under the advanced options of the client's 802.1X configuration there is an option called "This network uses different VLAN for authentication with machine and user credentials".

Check that either locally or configure the 802.1X settings through group policy.


>From Microsoft:

"Specifies that wireless computers are placed on one virtual local area network (VLAN) at startup, and then - based on user permissions - transitions to a different VLAN network after the user logs on to the computer.
This setting is used in scenarios where it is desirable to separate traffic by using VLANs. For example, one VLAN, "VLAN-a," allows access only to authenticated computers, typically with a restricted set of assets. A second VLAN, "VLAN-b," provides authenticated and authorized users with access to a broader set of assets, such as e-mail, build servers, or the intranet.
Default = Not enabled"

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor II
Posts: 143
Registered: ‎07-27-2012

Re: Changing VLANs with different profiles

Thanks for this info. I will give it a try.

Frequent Contributor II
Posts: 143
Registered: ‎07-27-2012

Re: Changing VLANs with different profiles

I tried this, but it didn't seem to work.

The computer didn't return to the initial VLAN after user logout.

 

 

 

Guru Elite
Posts: 21,269
Registered: ‎03-29-2007

Re: Changing VLANs with different profiles

Are you returning an Aruba VLAN VSA from ClearPass, when the device authenticates as a machine?  If not, and the machine's role does not have a VLAN hardcoded, it will not change VLANs, but maintain the one it has..  When the user who is forced into VLAN 1 logs out, the VLAN is not changed....



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor II
Posts: 143
Registered: ‎07-27-2012

Re: Changing VLANs with different profiles

Hi Colin:

Thanks for the reply.

Yes, Clearpass is assigning a VLAN for the machine auth role. I see the machine auth show up successfully, and it says it has assigned the new vlan, but the machine doesn't appear on that vlan.

 

Thanks,

Tony

 

Guru Elite
Posts: 21,269
Registered: ‎03-29-2007

Re: Changing VLANs with different profiles

If you type "show user-table verbose" on the controller, it will tell you in parentheses, what VLAN the computer is on.  

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Guru Elite
Posts: 8,637
Registered: ‎09-08-2010

Re: Changing VLANs with different profiles

Also, please turn up user debugging so we can see the process.

logging level debug user-debug

show log user-debug all | include

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
Showing results for 
Search instead for 
Did you mean: