Security

Reply
Occasional Contributor II

Wired enforcement for Access point (tagged and untagged vlan)

Hi all,

 

I would like to enforce on my switch AOS 2930 the specific port config which will be used when I'll plug Aruba APs:

Untagged vlan: Vlan for Access Points

Tagged vlanS: all my users vlans (Corporate, Guest, etc.) 

User trafic won't be tunneled to Wireless controler.

 

How can I do that?

Shall I configure Aruba User-role? In that case, I don't see how, in a specific role I would configure several tagged vlans...

OR

Shall I use classic vlan enforcement in that scenario?

 

I guess it's the second method but I'll be sure of that

 

Thanks for your help

Fred

 

Guru Elite

Re: Wired enforcement for Access point (tagged and untagged vlan)

Aruba campus APs should simply sit in a user subnet, just like any other client device. There is no need tag any VLANs.

Take a look at the ClearPass Solution Guide for Wired Policy Enforcement for configuration examples.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: Wired enforcement for Access point (tagged and untagged vlan)

Hi Tim,

 

your solution doesnt work for us.

 

What we want to do:

When an AP is plugged to our AOS 2930F switches, CPPM must enforce:

- vlan AP untagged

- vlan Corporate tagged

- vlan Guest tagged

- vlan Printer tagged

- vlan blabla tagged

 

Even if you place your AP in another vlan, I don't see how to enforce a tagged vlan via CPPM (an moreover, how to enforce several tagged vlan)

 

I read wired guide and didn't find a solution too

 

Thanks for your help

Kind regards,

Fred

 

Guru Elite

Re: Wired enforcement for Access point (tagged and untagged vlan)

You said the APs are tunneling to a controller. There should be no tagged VLANs on a campus AP.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: Wired enforcement for Access point (tagged and untagged vlan)

No, 

I said:  User trafic won't be tunneled to Wireless controler.

It'll be locally switched. That's why I need tag

 

Fred

Guru Elite

Re: Wired enforcement for Access point (tagged and untagged vlan)

OK, sorry misread. You cannot use RADIUS assigned user roles then. You’d have to use device-profiles with LLDP to map the user role.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: Wired enforcement for Access point (tagged and untagged vlan)

OK,

Do you have any doc or example of how to do this?

 

That 'll be great

Fred

 

Guru Elite

Re: Wired enforcement for Access point (tagged and untagged vlan)

I don’t sorry. Probably a better question for the switching group.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
New Contributor

Re: Wired enforcement for Access point (tagged and untagged vlan)

I used this guide:
https://community.arubanetworks.com/t5/Wired-Networks/Returning-multiple-tagged-VLANS-and-untagged-VLAN-from-ClearPass/ta-p/413955

Tested with CPPM 6.7.2 and 2930M on 16.05 and 2920 on 16.05

I used MAC auth with profiling. The AP profile gets all the additional tagged VLANs

Frequent Contributor II

Re: Wired enforcement for Access point (tagged and untagged vlan)

Have you checked device profile?

Please check below if it helps:

http://h22208.www2.hpe.com/eginfolib/networking/docs/switches/RA/16-01/webhelp/content/ch10.html

JayBee
ACDX | ACCX| CCIE (RnS/SP,DC) | ACCP | ACMP | ACSA | ACMA | JNCIS | JNCIA
If the provided solution resolves your issue, please mark it as accepted solution to help others.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: