Wireless Access

Reply
Frequent Contributor II
Posts: 167
Registered: ‎04-17-2013

ClearPass for Wired user(dot1x) over MPLS network

Hi,

 

I am using Aruba 7200 controller & CPPM for my Wireless network. There are 14 branches connected over the MPLS network.

Aruba controller , CPPM & DHCP are located in Data center. Every branch has different IP address range. We have dot1x switches.

 

Now we want to achieve following requirement for wired network.

 

1) If the user & device is the part of domain then it should get that respective vlan IP address.

    (How CPPM will identify requestor come from which branch & assign the IP address?)

 

2) How DHCP will provide IP address to user?

 

Kindly suggest me how can i achieve this requirement.

 

 

Thanks in advance,

Nikhil.

 

 

MVP
Posts: 4,272
Registered: ‎07-20-2011

Re: ClearPass for Wired user(dot1x) over MPLS network

 

You could do this by using NAS IP of the switch (incoming radius request)

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Guru Elite
Posts: 8,467
Registered: ‎09-08-2010

Re: ClearPass for Wired user(dot1x) over MPLS network

[ Edited ]

For the domain machines, you can use the built in [Machine Authenticated] role to assign a role. This role will automatically be assigned when a computer successfully machine authenticates to AD.

 

You can either assign the VLAN directly by returning it from ClearPass or tie a VLAN to a user role. Then the client will get an address in that subnet.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor II
Posts: 167
Registered: ‎04-17-2013

Re: ClearPass for Wired user(dot1x) over MPLS network

Thanks for quick reply....

 

Can you please provide me some doc/pdf to regardin configuration.

Shall i create IP pool on DHCP server?

 

 

Frequent Contributor II
Posts: 167
Registered: ‎04-17-2013

Re: ClearPass for Wired user(dot1x) over MPLS network

I will not create user group on CPPM cause if user went to other location branch then he should get that respective branch vlan IP address.

 

Ho can i achieve this?

Guru Elite
Posts: 8,467
Registered: ‎09-08-2010

Re: ClearPass for Wired user(dot1x) over MPLS network

I assume you have a different AP group in each location? You can use the AP
group to return specific information for only clients joined to an AP in
that group.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Guru Elite
Posts: 8,467
Registered: ‎09-08-2010

Re: ClearPass for Wired user(dot1x) over MPLS network

branchoffice-1.PNG

 

branch-enforce.PNG


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Guru Elite
Posts: 8,467
Registered: ‎09-08-2010

Re: ClearPass for Wired user(dot1x) over MPLS network

Sorry, forgot you were using switches. Use similar logic but instead of Aruba location-ID, use the NAD IP address of each switch.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor II
Posts: 167
Registered: ‎04-17-2013

Re: ClearPass for Wired user(dot1x) over MPLS network

Okay... I got the CPPM rule configuration part. But what about vlan assignment? Shall i create rule for vlan for respective branch.

Frequent Contributor II
Posts: 167
Registered: ‎04-17-2013

Re: ClearPass for Wired user(dot1x) over MPLS network

Hi,

 

I have configured service for Wired 802.1x with NAD IP Rule. I have got domain user request in "Access tracker"  In request detail service, role & enforcement correctly getting.

On my hp switch radius authentication status - accept. I hv configured ip-hleper on router for DHCP server and CPPM. IP pool configured on DHCP server.

 

But still IP Address is not getting to domain user.

 

Kindly suggest the solution....

 

Thank You..

Search Airheads
Showing results for 
Search instead for 
Did you mean: