Security

Reply
MVP
Posts: 710
Registered: ‎03-25-2009

HP850 WLAN, use AP-group info?

So I'm setting up Clearpass for a company that just will be running their HP WLAN and Aruba WLAN side by side.

 

Now I need to change the current user-only authentications into machine + user. Sofar no problem.

But I also need to return different vlans depending on which AP-group the AP is in. For the Aruba WLAN I can just use the Aruba-AP-Group or even the Called-Station-Id.

With the HP controller, I cannot seem to find anything that references this.

 

So anybody has any idea on how to differentiate from which ap-group the authentiction originated? Or other ideas to get this resolved without having to manage a mac-list of all the APs?

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Guru Elite
Posts: 8,048
Registered: ‎09-08-2010

Re: HP850 WLAN, use AP-group info?

Can you post a screen grab of the RADIUS request with all the VSAs?

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
MVP
Posts: 710
Registered: ‎03-25-2009

Re: HP850 WLAN, use AP-group info?

[ Edited ]

Managed to figure out a way to do it. Not the prettiest solution but at least it works.

 

If I configure the service-template (~SSID profile) with a vlan:

wlan ap-group algdi
 if-match ip 10.10.10.0 255.255.255.0
 ap ap-3.1
 ap ap-3.3
 ap ap-4.4
 dot11a service-template 1 vlan-id 123
 dot11a service-template 2 vlan-id 123
 dot11bg service-template 1 vlan-id 123
 dot11bg service-template 2 vlan-id 123

 

 

then this vlan id is then sent along with the radius request as part of the NAS-port-id:

 

Input RADIUS Attributes -
Radius:IETF:Acct-Session-Id = 11607121154130ed09a5627f
Radius:IETF:Called-Station-Id = 2C-41-38-DB-AA-8E:clearpasshp
Radius:IETF:Calling-Station-Id = 28-B2-BD-42-D8-1C
Radius:IETF:Chargeable-User-Identity = 
Radius:IETF:Framed-MTU = 768
Radius:IETF:Framed-Protocol = 1
Radius:IETF:NAS-Identifier = AC1
Radius:IETF:NAS-IP-Address = 10.10.10.34
Radius:IETF:NAS-Port = 16811984
Radius:IETF:NAS-Port-Id = slot=1;subslot=0;port=8;vlanid=123
Radius:IETF:NAS-Port-Type = 19
Radius:IETF:Service-Type = 2
Radius:IETF:User-Name = DOMAIN\\user

That is the only way I found to get dynamic vlans that take the ap-group into acount.

 

 

And for your reference Capali, these are all the radius VSA's that I receive in the request.

 

 

EDIT: If you solve it like this, be sure to add ALL the vlans you may be pushing to users from this ap-group. The HP WLAN controller seems to send the previously pushed vlan when a user switches networks instead of the default vlan.

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Search Airheads
Showing results for 
Search instead for 
Did you mean: