Security

Reply
Contributor I

Dynamic VLAN assignment based on custom LDAP group

Hello community,

 

I'm setting up a SSID which will authorize users (assign vlan) based on their custom LDAP groups. The problem arises when I try changing their groups dynamically so that they can receive a new vlan. It doesn't work because the CPPM has cached user groups locally after the previous query to LDAP, so users still receive the old groups and old vlan after reauthentication. Due to specific requirements, the action of changing user's LDAP groups (which will translate to new vlan and new policy) will happen quite often (at least several times during working day).

 

Do we have any ways to accomplish this? I don't want to disable cache option since it may cause performance issue with CPPM.

 

Thank you very much,

Guru Elite

Re: Dynamic VLAN assignment based on custom LDAP group

The only option would be to disable the cache.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I

Re: Dynamic VLAN assignment based on custom LDAP group

Hi Tim,

 

I have approximately 5000 devices authenticating through CPPM. Will it cause huge performance issue if I disable the cache? And what should I do to limit the impact?

 

Thank you,

Guru Elite

Re: Dynamic VLAN assignment based on custom LDAP group

It varies based on the environment. You'll have to try it. I'm very curious why users are being added and removed from groups on a regular basis.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I

Re: Dynamic VLAN assignment based on custom LDAP group

Hi,

 

Let me clarify the requirements. Our users want to test their products through different ISPs, so we came up with an idea to associate their accounts with different LDAP groups, and based on those settings, source route their traffic through the ISP they want to test. Since their work is just doing test like this, it will happen on a regular basis (change group -> change vlan -> change ISP).

 

Normally the cache is very useful, but not in this case. I wonder if we can have any other solution for dynamic vlan changing except using LDAP groups?

 

Thank you,

Contributor I

Re: Dynamic VLAN assignment based on custom LDAP group

I have thought about using the group (role) locally on CPPM, but looks like there's no way to map the username on LDAP to local group on CPPM.

 

Any ideas are very welcome.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: