Wireless Access

Reply
pt
Occasional Contributor I

Dynamic VLAN assignment and 802.1X auth with MAC auth fallback

I'm trying to figure out how to dynamically assign a VLAN to a user connecting via an Ethernet port on an AP-93H (controller managed), and I'm struggling a bit.

 

I'm trying to mimic what happens on our switch ports, that is: a user plugs in, and if their device doesn't try and authenticate using 802.1X it falls back to transparent MAC auth and drops them onto a VLAN that contains a captive portal that presents setup instructions for configuring 802.1X - if it does 802.1X authenticate successfully, then the RADIUS server returns a VLAN depending on where the connection has originated.

 

In the wired-ap profile it seems I have to select either an access or trunk VLAN - I can't leave it blank and let RADIUS assign it. Is there an option somewhere that enables this? Is there any documentation that relates to what I'm trying to do that someone could point me at?

 

Lastly, if there's someone who has already done this, would you mind sharing the relevant bits of your config with me?

 

Thanks!

 

Aruba

Re: Dynamic VLAN assignment and 802.1X auth with MAC auth fallback

You'd need the port set as Trunk with any potential VLANs for the clients allowed on the trunk.   Then, through the AAA profile assigned to the port, you'll assign MAC Server Group and Default MAC Authentication Role (and a VLAN and Captive Portal profile assigned to the role) as well as an 802.1X Server Group and Default 802.1X Authenticated role, which RADIUS can assign a VLAN to.

 

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

New Contributor

Re: Dynamic VLAN assignment and 802.1X auth with MAC auth fallback

I am not able to get the switch ports to talk to the Clearpass server when I plug in a port.  I can see the failures in Clearpass if I do an auth test from the diag tab.  Anyway you could send me a "cookbook" of what of need to configure on the switch to allow port authentication to clearpass work?  Let me know.

Guru Elite

Re: Dynamic VLAN assignment and 802.1X auth with MAC auth fallback

Are the ports untrusted and do you have a AAA profile applied?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
New Contributor

Re: Dynamic VLAN assignment and 802.1X auth with MAC auth fallback

Yes to both of those.

Thank you

A.J.
A.J. Siroin
Technical Engineering • Securian Financial Group
400 Robert Street North • St. Paul, MN 55101-2098
651-665-4653 (desk) • 651-395-1736 (mobile)
arnold.siroin@securian.com • www.securian.com

Securian Financial Group – Financial security for the long run ®


This email transmission and any file attachments may contain confidential
information intended solely for the use of the individual or entity to whom
it is addressed. If you have received this email message in error, please
notify the sender and delete this email from your system. If you are not
the intended recipient, you may not disclose, copy, or distribute the
contents of this email.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: