Returning multiple tagged VLANS and untagged VLAN from ClearPass on HPE Switches

MVP
MVP
Requirement:

If we have an Aruba IAP(Instant Access Point) or any device that can tag multiple VLAN traffic and you want to authenticate that device on the Switch port either using MAC-Auth or 802.1x  you can return all the tagged vlans and the untagged vlan from ClearPass.



Solution:

We make use of a combination of 2 Radius attributes for this to work. The HPE-Egress-VLAN-ID(64) and also the Tunnel-Private-Group ID which is typically used to return VLANs from the  Radius Server.

We have tested this with Clearpass version 6.6.9 and an Aruba-2930F running WC.16.04.0011 but this should also work with other firmware versions on the switch and CPPM as long as you are returning the attributes in the right format.



Configuration:

The Radius attributes we need to return for VLAN assignment are below

For tagged VLANs 

RADIUS Attribute Times Used Description Value String Value
Egress-VLANID 1-* Allow egress traffic for specified VID - <tagged/untagged(0x31 or 0x32)>000<VLAN_ID (as hex)>

 

For Untagged VLANs

RADIUS Attribute Times Used Description Value String Value
Tunnel-Type 1 Type of tunnel VLAN 13
Tunnel-Medium-Type 1 Tunnel transport medium IEEE-802 6
Tunnel-Private-Group-Id 1 Numeric ingress/egress VLAN ID to be assigned  

 

Here is an example of how we arrive at a Hex value for a tagged VLAN 30 we want to return to the Switch

0x31<000><VLAN-ID in Hex>  the value of 30 in Hex is 1E and we need to pad that value with another 0 making it 01E.

Finally the Hex value for a tagged VLAN 30 is  0x3100001E.

Now in ClearPass to return the HPE-Egress-VLANID attribute we need to convert the Hex value back to decimal

You can use any online tool to convert from Hex to Decimal like 

https://www.binaryhexconverter.com/hex-to-decimal-converter

and 0x3100001E converts to 822083614 in Decimal which is what we need to configure on the ClearPass.

The same attribute can be used to return multiple VLANs by sending it with appropriate values for the corresponding VLANs.

In our testing we also returned another tagged VLAN 150 which comes to

0x31<000><VLAN-ID in Hex>

Vlan 150 in Hex which is 96 padded with a leading zero 096 which comes to 0x31000096

Converting that value back to Integer gives 822083734.

In ClearPass we are configuring the HPE-Egress-VLAN-ID attribute with ID (64) in the Hewlett-Packard-Enterprise Radius Dictionary with a Vendor ID 11.

Along with tagged VLANs we are also returning the untagged VLAN of 20 using the Radius:IETF    Tunnel-Private-Group-Id attribute which needs some other attributes along with it as shown below

Radius:IETF    Tunnel-Type    =    VLAN (13)
Radius:IETF    Tunnel-Private-Group-Id    =   <VLAN-ID>
Radius:IETF    Tunnel-Medium-Type    =    IEEE-802 (6)

Please find the configuration snap-shot of the ClearPass enforcement below

Once this enforcement profile is configured it should return 30 and 150 as tagged VLANs and 20 as the untagged as explained above.

You can configure this is an enforcement profile for any port access authentication 802.1x or MAC-auth.

Also note that the same configuration can be replicated on other Radius servers to return tagged and untagged VLANs to the HPE switch as long as we are configuring the right attributes and values.

 

 

 

 

 



Verification

We can verify from the access tracker of CPPM that we are indeed returning the attributes by observing the Output tab of ClearPass as shown below

Once you return the attributes in the switch you should be able to see that the switch accepts it and assigns the appropriate VLANs by executing the command shown below

 

Aruba-2930F-24G-PoEP-4SFP# show port-access clients detailed

 Port Access Client Status Detail

  Client Base Details :
   Port            : 21                    Authentication Type : mac-based
   Client Status   : authenticated         Session Time        : 523 seconds
   Client Name     : f05c19ca3cf6          Session Timeout     : 0 seconds
   MAC Address     : f05c19-ca3cf6
   IP              : 10.1.20.5

  Access Policy Details :
   COS Map         : Not Defined           In Limit Kbps       : Not Set
   Untagged VLAN   : 20                    Out Limit Kbps      : Not Set
   Tagged VLANs    : 30, 150
   Port Mode       : 1000FDx
   RADIUS ACL List : No Radius ACL List


  Captive Portal Details :
   URL             :
 

Version history
Revision #:
1 of 1
Last update:
2 weeks ago
Updated by:
 
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: