Security

Reply
New Contributor
Posts: 3
Registered: ‎10-14-2015

VLAN assignment based on AD

Hi,

 

recently moved to Aruba (previously with Cisco/Meraki/Extreme)... anyway.

 

This is the goal i am trying to achieve:

- I am with my laptop and i see a Guest SSID

- i connect to the Guest SSID which is open and redirects me to a captive portal

- Captive Portal is configured to authenticate me towards my AD that acts as Radius (NPS)

- Captive portal authenticates me and i got assigned in another VLAN as configured, on another subnet

 

Now all this is OK. there is only one problem. Once i am in the guest-ssid i got an ip that allows me to get to the captive portal right? Then i authenticate and something on the network happens to the point that my packets then gets tagged. Obvisouly the new vlan MUST BE on another subnet. I dont believe that my laptop is aware of the change, as from its prospective, it still connected to the same SSID-Guest, so IT IS NOT GOING TO request another address from the DHCP server. As result, i authenticate and then i have no network connection. Obviously i cannot access my guests (there are plenty...) to refresh the ip...

 

 

Can you clarify?

thanks

localhost

Guru Elite
Posts: 8,191
Registered: ‎09-08-2010

Re: VLAN assignment based on AD

VLAN changes for a L3 authentication are not reliable. 

Why not use 802.1X if you already have a RADIUS server configured? 


Thanks, 
Tim

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
New Contributor
Posts: 3
Registered: ‎10-14-2015

Re: VLAN assignment based on AD

thanks for the quick answer.

 

So basically you are saying that the SSID authentication will be based on 802.1x so this way i get access to the network and placed in the right vlan after authentication, that should fix the dhcp issue...

 

So:

 

- I have an SSID which has 802.1x base authentication

- I bring my laptop, connect to the SSID that immediately will request user/pass

- user pass sits in AD. Based on AD group membership, the NPS give an attribute to the requesting AP to place that particoular endpoint to a particoular VLAN.

- I gain access to that VLAN and acquire an ip via dhcp in that vlan.

 

Would this work?

 

Is a kb article you know of that explains the process? i think it is a fairly common request.

 

thanks

Guru Elite
Posts: 8,191
Registered: ‎09-08-2010

Re: VLAN assignment based on AD

Yes, that's how most networks are designed. Search for NPS tutorial on here. 


Thanks, 
Tim

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
New Contributor
Posts: 3
Registered: ‎10-14-2015

Re: VLAN assignment based on AD

thanks heaps i will give it a shot.

Search Airheads
Showing results for 
Search instead for 
Did you mean: