Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

HP850 WLAN, use AP-group info?

This thread has been viewed 1 times

  • 1.  HP850 WLAN, use AP-group info?

    MVP
    Posted Jul 12, 2016 07:02 AM

    So I'm setting up Clearpass for a company that just will be running their HP WLAN and Aruba WLAN side by side.

     

    Now I need to change the current user-only authentications into machine + user. Sofar no problem.

    But I also need to return different vlans depending on which AP-group the AP is in. For the Aruba WLAN I can just use the Aruba-AP-Group or even the Called-Station-Id.

    With the HP controller, I cannot seem to find anything that references this.

     

    So anybody has any idea on how to differentiate from which ap-group the authentiction originated? Or other ideas to get this resolved without having to manage a mac-list of all the APs?



  • 2.  RE: HP850 WLAN, use AP-group info?

    EMPLOYEE
    Posted Jul 12, 2016 11:40 AM
    Can you post a screen grab of the RADIUS request with all the VSAs?


  • 3.  RE: HP850 WLAN, use AP-group info?

    MVP
    Posted Jul 13, 2016 06:27 AM

    Managed to figure out a way to do it. Not the prettiest solution but at least it works.

     

    If I configure the service-template (~SSID profile) with a vlan:

    wlan ap-group algdi
 if-match ip 10.10.10.0 255.255.255.0
 ap ap-3.1
 ap ap-3.3
 ap ap-4.4
 dot11a service-template 1 vlan-id 123
 dot11a service-template 2 vlan-id 123
 dot11bg service-template 1 vlan-id 123
 dot11bg service-template 2 vlan-id 123

     

     

    then this vlan id is then sent along with the radius request as part of the NAS-port-id:

     

    Input RADIUS Attributes -
Radius:IETF:Acct-Session-Id = 11607121154130ed09a5627f
Radius:IETF:Called-Station-Id = 2C-41-38-DB-AA-8E:clearpasshp
Radius:IETF:Calling-Station-Id = 28-B2-BD-42-D8-1C
Radius:IETF:Chargeable-User-Identity = 
Radius:IETF:Framed-MTU = 768
Radius:IETF:Framed-Protocol = 1
Radius:IETF:NAS-Identifier = AC1
Radius:IETF:NAS-IP-Address = 10.10.10.34
Radius:IETF:NAS-Port = 16811984
Radius:IETF:NAS-Port-Id = slot=1;subslot=0;port=8;vlanid=123
Radius:IETF:NAS-Port-Type = 19
Radius:IETF:Service-Type = 2
Radius:IETF:User-Name = DOMAIN\\user

    That is the only way I found to get dynamic vlans that take the ap-group into acount.

     

     

    And for your reference Capali, these are all the radius VSA's that I receive in the request.

     

     

    EDIT: If you solve it like this, be sure to add ALL the vlans you may be pushing to users from this ap-group. The HP WLAN controller seems to send the previously pushed vlan when a user switches networks instead of the default vlan.