Security

last person joined: 22 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Clearpass and Wired Ports on AP

This thread has been viewed 5 times

  • 1.  Clearpass and Wired Ports on AP

    Posted Apr 28, 2017 04:49 PM

    Hi Everyone

    We are currently working on deploying our clearpass solution, and we had a idea, but not sure if it's do able or not.

    Essentially, every endpoint in our database, gets assigned a role, and from that role, a vlan assigned. (example, It admin gets vlan 150, student gets vlan 30)

    What we would like to do, is while an ap wired port is configured for bridge mode, that a user with a role gets the same vlan they would while plugging right into the switch. 

    To make this a little clearer, my laptop has a role of It admin. When I plug right into the switch, I get the right vlan. However, if I plug into the 205H's wired port (which is configured for bridge), I get the same vlan the AP is configured for. Is it possible to make it map to my role? We would prefer not to tunnel all wired traffic back to the controller.

    Any help is appreciated. Thanks


    Chris W



  • 2.  RE: Clearpass and Wired Ports on AP
    Best Answer

    EMPLOYEE
    Posted Apr 28, 2017 08:41 PM

    In bridge mode, you need to return the Aruba-User-Vlan attribute to the controller so that the client is placed into the correct VLAN.  In forwarding mode bridge, the VLAN is not obtained by the role.

     

    Further, you lose quite a bit of visibility and troubleshooting capability when you use bridge mode, as the traffic does not go through the controller.  Lastly, it is easier to trunk a single VLAN to the controller and have the wired traffic go to the controller vs. putting it out the AP and having to configure every AP port for each possible trunk you would like to deploy.  Bridge is an option for people who need it, but it is the exception, rather the rule.  Aruba Instant is made for people who want bridged SSIDs of any scale.



  • 3.  RE: Clearpass and Wired Ports on AP

    Posted Apr 29, 2017 08:19 AM

    Hi Colin,

    The SSID traffic we are still tunneling back to the Controller. It is the wired ports we want to bridge. The one's under the Wired AP profile. Would we still need to trunk all vlans in that situation as well?

    We are a college environment and have 205Hs in our dormorties, and would like to give students an option to still plug in their wired devices. Is it still the best option to tunnel this traffic back?

    Thanks for the help

    Chris



  • 4.  RE: Clearpass and Wired Ports on AP

    EMPLOYEE
    Posted Apr 29, 2017 11:41 AM

    The user traffic must enter your network somewhere.  If that somewhere is at the controller, you would be tunneling it back.  If that somewhere is at the access point, you must trunk every VLAN that you think a user would be on to the access point.