Security

Hi there,

 

I have a client who has a use case that I have never encountered before. They are authenticating both machine and users via certificates to ClearPass (EAP-TLS) and AD.

 

When a machine boots up and connects to the SSID, it dynamically gets pushed a VLAN ID via the 'Aruba-User-Vlan' Attribute in the ClearPass Enforcement Profile. The VLAN ID is determined by the AD computer group they are a member of. This works fine.

 

When the user logs in to the machine (and connects to the same SSID), my client wants to keep the IP address that the machine received upon it's initial boot, and not obtain a new IP address when the user logs in.

 

I have removed the VLAN assgnment from clearpass for all users, but they still get put in to the VLAN ID that the SSID on the Mobility Controller is assigned to.

 

I can't see a way where this is possible. Any ideas?

 

-Brett

Return the same VLAN ID or name for both Machine Authentication and User Authentication.

Hi Tim,

 

Thanks for the response. However there are two computer VLANs and many user VLANs.

 

-Brett

Use named VLANs on the controller and then return a name in the RADIUS response.

I'm not sure we are on the same page; I apologise.

 

The computer could be part of one of two VLANs. The users could be part of approx 15 user groups. They want the user to stay in the original VLAN (either VLAN X or VLAN Y for example) that the computer joined upon startup.

 

If I understand it correctly, when the user logs on, it essentially reconnects to the SSID, forcing a completely new RADIUS request.

 

-Brett

 

-Brett

If you want to use two different identity contexts, you'll have to put all your VLANs in one name/pool and return that name for both authentications.

If you want to use two different identity contexts, you'll have to put all your VLANs in one name/pool and return that name for both authentications.

Thanks Tim,

 

Correct me if I'm wrong - but this will round robin the VLAN that the laptop is put in to and has a 50% chance of being put in the same VLAN as the laptop.

 

Consider these scenarios;

 

Laptop A gets put in to VLAN X before user logon -- > User 'Bob' logs on and gets put in to VLAN X

 

Laptop B gets VLAN Y before user logon --> User 'Bob' logs on gets put in to VLAN Y.

 

How do I make 'Bob' get put in to the same VLAN as the laptop received when it booted up? So VLAN X when on laptop A, and VLAN Y on when on laptop B.

 

-Brett

The question is, why are you returning a VLAN? Just return an accept, and both the user and computer will be in the VLAN under the Virtual AP profile. Returning a different VLAN for user and computer authentication will break connectivity and is not needed in the majority of situations. Wired computers do not put the computer and user in different vlans and they work just fine. You should follow that model.

---

@cjoseph wrote:
Wired computers do not put the computer and user in different vlans and they work just fine. You should follow that model.

---

This was something I brought up, but they insisted on doing it anyway.

 

TAC came up with a complete hack by writing a heap of 'post authentication' policies which was very messy.  My client has decided that it was too hard to maintain long term.It worked, but when running a continueous ping to the IP address as it changed from computer auth to user auth on the SSID, connecvity dropped for about 6 seconds every time, which negates their requirement.

 

Thanks for the responses.

---

@cjoseph wrote:
The question is, why are you returning a VLAN? Just return an accept, and both the user and computer will be in the VLAN under the Virtual AP profile.

---

I tried returning an 'accept' profile with no VLAN. But the VLAN set in the VAP profile had nothing to do with the dynamic VLAN that the computer had been put in to.

 

Use named VLANs on the controller and then return a name in the RADIUS response.

Return the same VLAN ID or name for both Machine Authentication and User Authentication.