Security

Reply
MVP

ClearPass Guest not map to correct Vlan

My configurations:

  1. Guest logon to open network with a temporary vlan to be captive portal by ClearPass Guest.
  2. ClearPass Guest account created and assigned a role in one of these three roles: [Employee], [Guest], and [Contractor]
  3. In the controller three roles were created: Employee, Guest, and Contractor and designed to map correctly to the role in ClearPass Guest account
  4. In the controller three vlans also created to map guest roles according to its vlan.

Everything is working correctly as design, guest is authenticated and mapped to correct role in the controller.  However, guest vlan is not mapped, guest stays in the same vlan that he was first connected.

 

My settings at the controller:

  • Server-group include Role/VLAN derivation rules for attributes “Aruba-User-Vlan”, “Aruba-User-Role”
  • RFC-3576-server was configured and included in aaa profile

My settings at CPPM:

  • Two services:
  1. Application service to captive portal guest and check guest user from ClearPass Guest
  2. Radius service to map guest to Enforcement profile
  • Enforcement profile for each role include two attributes to send back to controller: “Aruba-User-Vlan” and “Aruba-User-Role”.  The Aruba-User-Role is OK, but Aruba-User-Vlan is not
  • Radius CoA was enable.

 Am I missing anything?

Thanks,

 

~Trinh Nguyen~
Boys Town
Guru Elite

Re: ClearPass Guest not map to correct Vlan

Are you using Captive Portal for authentication?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Guru Elite

Re: ClearPass Guest not map to correct Vlan

Some clients will not re-DHCP when the VLAN is changed out from under them.


Thanks,
Tim

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP

Re: ClearPass Guest not map to correct Vlan

Colin,

Yes, yes I use ClearPass Guest Captive Portal for authentication.

Thanks for quick response.

~Trinh Nguyen~
Boys Town
Guru Elite

Re: ClearPass Guest not map to correct Vlan

Well, the only way that a guest will change vlans is if the wifi link goes down and up, or their dhcp lease expires and they renew with a different address.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Aruba Employee

Re: ClearPass Guest not map to correct Vlan

Just going to throw my experience in the ring. Most importantly, your mileage may very.

 

A partner and I labbed this up and tested it, where it worked with Windows, OSX, Android, and iOS. Below I have modified the instructions for 6.5 MAC Caching Service. Please re-create your guest services from scratch in 6.5 using the Start Here option and selecting Guest Authentication with MAC Caching. Then make the following modifications:

 

  1. The result of ALL Successful logins on the RADIUS service is Aruba-Terminate-Session, instead of a RADIUS Accept or an Aruba-User-Role. Leave all other enforcement profiles, as we will need the Endpoint:MAC-Auth Expiry in order for MAC Caching to work.
  2. Aruba-User-Role is passed back as part of the MAC Caching service. Make sure the Aruba-User-Role that is being passed back matches exactly the User Roles on your Aruba Controller, and you have configured the appropriate VLAN on the controller for that role. You will need to modify the enforcement in order to pass back the Aruba-User-Role instead of the Allow Access Profile and break out different Aruba-User-Role enforcement profiles for each guest type.

There may be some operating systems that get stuck to their IP address and wont re-DHCP, I know Windows 7 wired VLAN changes don't work without a bounce port. Give this a try and let us know your results. Most users will disable and re-enable their wireless if they cannot get to the internet, at which point they will be on the correct VLAN if the Aruba-Terminate-Session didn't get their device to release its DHCP address.

Thanks,

Zach Jennings
Guru Elite

Re: ClearPass Guest not map to correct Vlan

Another thing that has worked in past is to give the initial guest vlan DHCP server very short leases like 30 seconds or less.  According to the standard, if the DHCP lease is 30 seconds, the client will try to re-dhcp on the initial VLAN every 15 seconds, so when you switch the VLAN, the client will pick it up when IT re-dhcps.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP

Re: ClearPass Guest not map to correct Vlan

Zach,
Thanks for detail and interesting explanation. I excerpt #2 from your suggestion: It looks like in your design the service does not need to pass back “Aruba-User-Vlan” to controller. Somehow you can match a role to Vlan at the controller.
Aruba-User-Role is passed back as part of the MAC Caching service.
Make sure the Aruba-User-Role that is being passed back matches exactly the User Roles on your Aruba Controller (Yes, this part is working)
You have configured the appropriate VLAN on the controller for that role. (Yes, I have three VLANs for three roles Employee, Guest, and Contractor. How can I connect them?)
You will need to modify the enforcement in order to pass back the Aruba-User-Role instead of the Allow Access Profile (Yes, the Aruba-User-Role from CPPM passes back to controller and user gets that role)
Break out different Aruba-User-Role enforcement profiles for each guest type (Yes, done)

~Trinh Nguyen~
Boys Town
MVP

Re: ClearPass Guest not map to correct Vlan

 According to the standard, if the DHCP lease is 30 seconds, the client will try to re-dhcp on the initial VLAN every 15 seconds, so when you switch the VLAN, the client will pick it up when IT re-dhcps

Colin,

I tried to DHCP lease to 1 minute, the shortest time that Windows server DHCP can do.  Lease expiration changes, but client get the same ip address every minute.  The client has not jumped to the designed VLAN.

~Trinh Nguyen~
Boys Town
Guru Elite

Re: ClearPass Guest not map to correct Vlan

The controller internal database can do seconds, FYI.

 

When you type "show user-table verbose" can you see that the user has switched VLANs?  the current vlan is in parenthesis.  If not, you have to check to make sure that the Aruba-User-Vlan attribute is being sent back correctly.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: