Wireless Access

last person joined: 22 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Dynamic VLAN assignment and 802.1X auth with MAC auth fallback

This thread has been viewed 9 times

  • 1.  Dynamic VLAN assignment and 802.1X auth with MAC auth fallback

    Posted Jul 03, 2013 10:49 AM

    I'm trying to figure out how to dynamically assign a VLAN to a user connecting via an Ethernet port on an AP-93H (controller managed), and I'm struggling a bit.

     

    I'm trying to mimic what happens on our switch ports, that is: a user plugs in, and if their device doesn't try and authenticate using 802.1X it falls back to transparent MAC auth and drops them onto a VLAN that contains a captive portal that presents setup instructions for configuring 802.1X - if it does 802.1X authenticate successfully, then the RADIUS server returns a VLAN depending on where the connection has originated.

     

    In the wired-ap profile it seems I have to select either an access or trunk VLAN - I can't leave it blank and let RADIUS assign it. Is there an option somewhere that enables this? Is there any documentation that relates to what I'm trying to do that someone could point me at?

     

    Lastly, if there's someone who has already done this, would you mind sharing the relevant bits of your config with me?

     

    Thanks!

     



  • 2.  RE: Dynamic VLAN assignment and 802.1X auth with MAC auth fallback

    Posted Jul 03, 2013 08:04 PM

    You'd need the port set as Trunk with any potential VLANs for the clients allowed on the trunk.   Then, through the AAA profile assigned to the port, you'll assign MAC Server Group and Default MAC Authentication Role (and a VLAN and Captive Portal profile assigned to the role) as well as an 802.1X Server Group and Default 802.1X Authenticated role, which RADIUS can assign a VLAN to.

     



  • 3.  RE: Dynamic VLAN assignment and 802.1X auth with MAC auth fallback

    Posted Aug 06, 2014 10:02 AM

    I am not able to get the switch ports to talk to the Clearpass server when I plug in a port.  I can see the failures in Clearpass if I do an auth test from the diag tab.  Anyway you could send me a "cookbook" of what of need to configure on the switch to allow port authentication to clearpass work?  Let me know.



  • 4.  RE: Dynamic VLAN assignment and 802.1X auth with MAC auth fallback

    EMPLOYEE
    Posted Aug 06, 2014 10:05 AM
    Are the ports untrusted and do you have a AAA profile applied?


  • 5.  RE: Dynamic VLAN assignment and 802.1X auth with MAC auth fallback

    Posted Aug 06, 2014 10:28 AM
    Yes to both of those.

    Thank you

    A.J.
    A.J. Siroin
    Technical Engineering • Securian Financial Group
    400 Robert Street North • St. Paul, MN 55101-2098
    651-665-4653 (desk) • 651-395-1736 (mobile)
    arnold.siroin@securian.comwww.securian.com

    Securian Financial Group – Financial security for the long run ®


    This email transmission and any file attachments may contain confidential
    information intended solely for the use of the individual or entity to whom
    it is addressed. If you have received this email message in error, please
    notify the sender and delete this email from your system. If you are not
    the intended recipient, you may not disclose, copy, or distribute the
    contents of this email.