Security

We're currently in the process of consolidating our SSIDs into one.  This has been achieved for the vast majority of locations where CAPs are employed in bridge mode, using ClearPass to return user role and VLAN attributes.

 

However, the VLAN derivation via the VSA returned by ClearPass does not work where RAPs have been employed in split tunnel mode.  Although the user role is updated correctly, clients stay on the initial VLAN.  I've tried assigning the VLAN to the user role too, but the VLAN still doesn't change.

 

I have read that split tunnel RAPs do not support VLAN derivation - can anyone confirm this?

Correct. Split tunnel raps do not support Vlan derivation.

Thanks for the reply.

 

Is there any other way to change the initial VLAN assignment in this example?

Unfortunately, there is not. Split tunnel only makes sense when the location does not have a dedicated wan connection back to your location besides the ipsec tunnel. If it does have a connection, it is more efficient to use bridge mode. Of the locations where there is no other connection, it is assumed there is probably only one Vlan.

What is your setup?

These are for locations where there is no dedicated link or VPN tunnel, i.e. home users. Two VLANs have been configured on the controller; one for corporate devices and one for BYOD devices.  The VLAN assigned is based on logic present in ClearPass.  The default initial VLAN assigned is the BYOD VLAN.  The problem is that we cannot assign the other VLAN if the client is detected to be a corporate device.

Got it. That is a very unique use case where a byod device is allowed remotely. Does the byod devices require any resources from the headend, or basically all internet?

Some internal resources, mainly http(s) based, but not entirely.