Security

I am trying to confirm wheter it is possible to use ClearPass to respond to an authentication with a named VLAN assignment?     

In my Enforcement Policy/Profile I am returning the Aruba-Named-Vlan (9) attribute.  On the controller side, i have configured the server rule to look for Aruba-User-Named-Vlan and to set a value-of for VLAN assignment.      When looking at the logs, I see the proper policy/profile applicaton and ClearPass sending the attribute, but the controller reports:  

Derived VLAN -1 from server rules: server-group=clearpass.radius.group 
Assigned VLAN -1 is not configured, using default VLAN XXXX

1. First, are the Aruba-User-Named-Vlan and Aruba-Named-Vlan the same; both say they are attribute #9; so I assume yes.
2. Second, should this VSA reponse work for named VLANs?

Not sure if you were able to create the vlan-name under the master controller :

(master-controller) (config) #vlan-name  ?
<name> Vlan name <1..32>

(master-controller) (config) #vlan-name test

And once you define the VLAN number under the local controller:

(local-controller) (config) #vlan test ?
<vlan-ids> List of VLAN IDs(0-removes all vlans)

We were able to setup something similar using ClearPass

Hope this helps.

---

@clembo wrote:

I am trying to confirm wheter it is possible to use ClearPass to respond to an authentication with a named VLAN assignment?     

 

In my Enforcement Policy/Profile I am returning the Aruba-Named-Vlan (9) attribute.  On the controller side, i have configured the server rule to look for Aruba-User-Named-Vlan and to set a value-of for VLAN assignment.      When looking at the logs, I see the proper policy/profile applicaton and ClearPass sending the attribute, but the controller reports:  

 

Derived VLAN -1 from server rules: server-group=clearpass.radius.group 
Assigned VLAN -1 is not configured, using default VLAN XXXX

 

1. First, are the Aruba-User-Named-Vlan and Aruba-Named-Vlan the same; both say they are attribute #9; so I assume yes.
2. Second, should this VSA reponse work for named VLANs?

---

Clembo,

VLAN names in Auth, meaning being able to send back a VLAN name or pool as a VSA should be supported in 6.3.x  Please watch this space...

Cjoseph 

we currently have it working on 6.2.0.3

What it will be supported in 6.3 it's VLAN name pools

Well Vfabian,

If you have it working, I would instruct Clembo on how to fix his issue, then.

We wanted to have users that are part of a certain AD group using Smartphones to be place on a particular user-role and named VLAN

We tied this enforcement rule to the 802.1x service 

We created the named VLAN CISCO-JABBER-VLAN-B on the master (not as a pool) and also created the actual user-role SECURE-VOICE-ROLE-B

You don't need to create a server rule under the controller to assign that named VLAN

And it's been working with no issues.

Thanks for the comments guys.   The named vlans themselves have been working for a while now; being assigned by the VAP.   The setup you show Victor is similiar to what are attempting, but the named VLAN is a pool of 32 subnets.   Colin, to clarify, it is your understanding that this setup with named VLANs setup as a pool should also work in the upcoming 6.3?

On a separate but related note, will there be support for assigning named vlans to user roles?  We could get around this if we could assign the named VLAN pool to the role.

Yes to all.