Security

Reply
Contributor I
Posts: 29
Registered: ‎01-26-2012

Redirecting BYOD to a different VLAN using DHCP Fingerprinting.

Hi, I'm trying to set up a function that redirects BYOD’s to a different VLAN than PC’s logging into the same SSID. I have set up a user rule for BYOD’s ant that is working quite right. The BYOD’s get the correct user rule and the PC’s the rule that they should have. The problem starts when I set the BYOD rule to use another VLAN than the authenticated VLAN rule. Then the BYOD’s fails to log inn to the SSID. I have tried to set the other way around so the PC’s are send to another VLAN than the authenticated VLAN rule, and then the PC get the correct IP-address, but it are unable to get any resources on the network. It’s logged in, but do not work. The authentication type is 802.1X. Anyone have a clue what I have done wrong?   :catsad:

Guru Elite
Posts: 20,568
Registered: ‎03-29-2007

Re: Redirecting BYOD to a different VLAN using DHCP Fingerprinting.


tom.christensen@nordialog.no wrote:

Hi, I'm trying to set up a function that redirects BYOD’s to a different VLAN than PC’s logging into the same SSID. I have set up a user rule for BYOD’s ant that is working quite right. The BYOD’s get the correct user rule and the PC’s the rule that they should have. The problem starts when I set the BYOD rule to use another VLAN than the authenticated VLAN rule. Then the BYOD’s fails to log inn to the SSID. I have tried to set the other way around so the PC’s are send to another VLAN than the authenticated VLAN rule, and then the PC get the correct IP-address, but it are unable to get any resources on the network. It’s logged in, but do not work. The authentication type is 802.1X. Anyone have a clue what I have done wrong?   :catsad:


 

For now, this only works with an "open" ssid with no encryption.  It is an open issue and will certainly take some time fix, in my estimation.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I
Posts: 29
Registered: ‎01-26-2012

Re: Redirecting BYOD to a different VLAN using DHCP Fingerprinting.

Spoiler

Thank you, then I understand why I cant make it work.

 

Tom C.

 

Guru Elite
Posts: 20,568
Registered: ‎03-29-2007

Re: Redirecting BYOD to a different VLAN using DHCP Fingerprinting.

Sorry that is the case.  Have you tried to use "enforce machine authentication" to accomplish the same thing?



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Moderator
Posts: 150
Registered: ‎11-14-2011

Re: Redirecting BYOD to a different VLAN using DHCP Fingerprinting.

Could you potentially leverage RADIUS VSA's returned from your 802.1x terminating RADIUS server. For example, if your PC's pass machine authentication (assuming they are domain computers) allow them to connect to the standard authenticated VLAN. If the device fails machine machine and hence is a BYOD then return the Aruba-User-VLAN attribute with the desired VLAN id.

 

Hope this helps


Cam.

 

Frequent Contributor I
Posts: 75
Registered: ‎08-12-2011

Re: Redirecting BYOD to a different VLAN using DHCP Fingerprinting.

does it work with an psk environment?

 

i have a similar problem. Devices connect with psk to the wireless lan. but the user rule does stay to "logon" (the initial role).

Is it correct to configure "User Derivation Rule" in the AAA Profile for the specific ssid?

What does "Mac Authentication" in this case mean?

 

 

Guru Elite
Posts: 20,568
Registered: ‎03-29-2007

Re: Redirecting BYOD to a different VLAN using DHCP Fingerprinting.


FlorianKueck wrote:

does it work with an psk environment?

 

i have a similar problem. Devices connect with psk to the wireless lan. but the user rule does stay to "logon" (the initial role).

Is it correct to configure "User Derivation Rule" in the AAA Profile for the specific ssid?

What does "Mac Authentication" in this case mean?

 

 


FlorianKueck,

 

You cannot change a VLAN using a DHCP fingerprinting user derivation rule for now.  A bug is currently open for this.

 

You can use mac authentication to change the VLAN of a device, but that would involve you entering in all mac addresses manually so this is not practical.

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I
Posts: 75
Registered: ‎08-12-2011

Re: Redirecting BYOD to a different VLAN using DHCP Fingerprinting.

ok thank you. so i will have to wait.

 

Guru Elite
Posts: 20,568
Registered: ‎03-29-2007

Re: Redirecting BYOD to a different VLAN using DHCP Fingerprinting.

We will update the thread if something changes.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I
Posts: 29
Registered: ‎01-26-2012

Re: Redirecting BYOD to a different VLAN using DHCP Fingerprinting.

Thank you. I'll look forward to a update.

Search Airheads
Showing results for 
Search instead for 
Did you mean: