Security

Reply
Occasional Contributor II

Clarification on 802.1x and vlan enforcement

Hi,

 

i am struggling here to make it work and i am wondering if you can confirm what i have learned so far:

 

- I am on a HPE5406 Zl2 which has software lower than 16.02 (when all the cool stuff were introduced, including CoA etc)

- I have clearpass 6.7 running, configured to authenticate and this part works.

- Now i want to assign vlan to devices based on which group they are member of in AD

- I have configured a 802.1x Service, and i can see the authentication going through correclty per group, the right enforcement policy is triggered, and the right profile is applied based on membership, so that group A gets profile A and group B gets profile B, i can see this clearly in access tracker

- Problem is profile A should push VLAN 1 and profile B should push VLAN2. Despite the fact that in access tracker the right profile is shown, no vlan changes is happening.

 

Now i think this is because (Please confirm):

- I cannot use the aruba-user-vlan attributes in the profile because that won't work with the software i am running (below 16.02)

- If i use snmp to force vlans, the Radius service does't work, i cannot have a radius service using snmp policies.

- so the only way i can make this work is to user roles (and roles in the switch) instead of enforcements.

 

Is it correct?

 

thanks

 

Guru Elite

Re: Clarification on 802.1x and vlan enforcement

Did you follow the ClearPass Solution Guide for Wired Policy Enforcement?

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: Clarification on 802.1x and vlan enforcement

yes. thanks for your quick reply. 

 

At the very beginning of the document there is a table which basically shows that what you can do with 802.1x and there is not mention of VLAN assignment, then there is snmp based enforcement, which says i can do vlan assignment, but how do i authenticate users if i dont have a 802.1x service?

 

If I (which i did) create the enforcement policies that use snmp to push vlan assignment, then these policies do not show up in the enforcement tab so i cannot choose them if i am in the radius service.

 

So basically if i use radius, i cannot use snmp vlan assignment, if i use snmp to assign vlan, i cannot authenticate with 802.1x.

 

thanks

Guru Elite

Re: Clarification on 802.1x and vlan enforcement

You have to choose either RADIUS-based enforcement (recommended) or SNMP-based enforcement. VLAN can most definitely be assigned via RADIUS using a standard IETF VLAN enforcement or assigning it directly to the user role.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: Clarification on 802.1x and vlan enforcement

thanks heaps, using IETF on the switch worked.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: