Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

force IOS devices to use a specific vlan

This thread has been viewed 1 times

  • 1.  force IOS devices to use a specific vlan

    Posted Jul 09, 2012 10:26 PM

    Hi,

     

    If multiple vlans associated with a SSID, is there a way to force all IOS devices connects to that SSID to have same vlan (say only vlan A). We use ARUBA OS 6.1.3.2

     

    Thanks

     



  • 2.  RE: force IOS devices to use a specific vlan

    Posted Jul 09, 2012 11:16 PM

    If you are using only the Aruba base OS and the SSID is utilizing 802.1x authentication, you can implement a user defined rule and apply it to the AAA profile of the VAP.    It can be done either by assigning a VLAN or assigning a role that has a specific VLAN defined.

     

    The DHCP App Note has covers this type of configuration:  http://www.arubanetworks.com/pdf/technology/AOS-DHCP-FingerPrint-AppNote.pdf

     

    An example configuration would be something similar....

     

    aaa derivation-rules user iOS-Devices

       set role condition dhcp-option equals "370103060F77FC" set-value iOS (assumes a role named iOS with a VLAN assigned)

       OR

       set vlan condition dhcp-option equals "370103060F77FC" set-value XXX (VLAN number)

     

    aaa profile "existing-aaa-prof"
       user-derivation-rules iOS-Devices

     

     

     

     

     



  • 3.  RE: force IOS devices to use a specific vlan

    Posted Jul 10, 2012 12:28 AM

    Thank you, Does this mean that if we use vlan pool, specified vlan will be assigned only to the vlan mentioned in the rule, and all other devices will be assigned to rest of the vlans in the pool.



  • 4.  RE: force IOS devices to use a specific vlan

    Posted Jul 10, 2012 12:35 AM

    If you use VLAN pooling, and the VLAN you specify in this derivation rule is within the pool, THEN

    a) IOS devices will be in this VLAN (good...)

    b) other devices may also get put into this same VLAN (maybe/maybe not desirable depending on your stance on VLANs) depending on the MAC address hash algorithm that VLAN pooling uses.

     



  • 5.  RE: force IOS devices to use a specific vlan

    Posted Jul 10, 2012 01:46 AM

    any condition you know that can be set in NPS to match this option.



  • 6.  RE: force IOS devices to use a specific vlan

    Posted Jul 11, 2012 11:58 AM

    Hi,

     

    I tried this, but i am not getting ip, it's shows authenticated,no ip, if i disable user derived role, everything ok.

     

    set vlan condition dhcp-option equals "370103060F77FC" set-value XXX (VLAN number)

     

    aaa profile "existing-aaa-prof"
    user-derivation-rules iOS-Devices

     

    Thanks

     



  • 7.  RE: force IOS devices to use a specific vlan

    Posted Jul 11, 2012 09:18 PM

    can you copy the portions of your config of the following:

     

    your virtual AP

    your AAA profile

    your user defined rule

     

     



  • 8.  RE: force IOS devices to use a specific vlan

    Posted Jul 12, 2012 03:27 PM


  • 9.  RE: force IOS devices to use a specific vlan

    Posted Jul 17, 2012 11:58 PM

    it seems dhcp fingerprinting will be fully functioning only with next code of ARUBA.



  • 10.  RE: force IOS devices to use a specific vlan

    Posted Jul 18, 2012 12:01 AM

    DId you want to paste in your config snippets so we can assist you ?

    I don't know of any caveats that tell me that fingerprinting does not work until the 'new release'.   Where did you find that reference? Curious... 



  • 11.  RE: force IOS devices to use a specific vlan

    Posted Jul 18, 2012 12:06 AM

    ARUBA TAC



  • 12.  RE: force IOS devices to use a specific vlan

    Posted Jul 18, 2012 12:09 AM

    I guess that's a no on your config, eh? ;)

    Send me a private message if you would on the ticket # with TAC and i'll follow-up there.