Wireless Access

Reply
Highlighted
Occasional Contributor II

Help with VLAN Assignments and CPPM/AP Groups...

Hello,  I'm in the process of phasing in Aruba wireless where we used to use Cisco.  

 

Previously and in my tests, we've had one AP group per school building and then a dedicated wireless vlan within that building.  

 

We've purchased CPPM, and I'm working my way to having only two SSID's -- one secure and one for guest.

 

I've figured out how to have  different AP groups for the buildings, and how to pass back a vlan attribute using Enforcement profiles from CPPM, but the thing I'm confused about is how I can pass back a different vlan depending on what ap group the user is originating from.

 

If a user is associated to an AP in the HS ap group I'd like to pass back  vlan 10.

If the same user later associates to an AP in the MS ap group I'd like to instead pass back vlan 20.

 

Is this possible, or should I be doing something different?

Re: Help with VLAN Assignments and CPPM/AP Groups...

You should be able to accomplish this using either a role mapping or within the enforcement policy using the Radius: Aruba > Aruba-AP-Group attribute as a condition to assign the VLAN
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor II

Re: Help with VLAN Assignments and CPPM/AP Groups...

The radius return from CPPM seems to be working but I can't pass any traffic.  Do I assign multiple VLAN's to the SSID controller side so that it can be re-used for each ap group?  Where does the controller see this radius return and use it?

Re: Help with VLAN Assignments and CPPM/AP Groups...

Did you define / configured that VLAN in the controller ?

If the VLAN(s) is hosted on your CORE/Distribution switch make sure that you are trunking that VLAN

Get Outlook for iOS
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA

Re: Help with VLAN Assignments and CPPM/AP Groups...

-In regards to how to pass back a different vlan depending on what ap group the user is originating from.

 You will have to configure a Role and role mapping and enforcement profile and policy (See attachment for pictures)

 

1. Create the roles

Roles: created AP-Group10 Users and AP-Group20 Users (they are only labels you identified)

2. Role Mappings: Created a Mapping with 2 conditions that states anyone connected to AP-Group10/20 is assigned to the: Role AP-Group10 Users and 20

3. Create the Profiles (action that assigns the VLAN)

TEMPLATE: Aruba RADIUS Enforcement

- I create the first one the copy it and change the name and vlan

4. Create Enforcement Policy

-Rules that states for the Role AP-Group* Users do Action AP-Group* to VLAN *

 

I used the following reference and built on it. Good Luck

https://community.arubanetworks.com/t5/Security/VLAN-assignment-with-clearpass/td-p/223834

 

Frequent Contributor II

Re: Help with VLAN Assignments and CPPM/AP Groups...

I'm assuming your wanting to connect the AP's in tunnel mode correct not trying to convert your wireless from an older system which used local vlans from the switch where the access point is plugged into. Is this the reason why you are trying to direct users to a vlan by location?  I could see your thinking this where a user connected to an AP gets bridged to the local swtich the AP is connected to. Aruba can do that called bridge mode but you lose lot of functionality I don't think you can do roll changes if that's what your trying to do bridge mode.  We run 2 vlans per controller 1 for secure network /18 1 for guest traffic /18 it's the same 2 vlan numbers for each controller we terminate that vlan on the layer 3 router connected to each controller. That way if we lose a controller the AP backup LMS directs the AP to connect to different controller because the same VLAN number is configured the users will have to get new IP address subnet but they reconnect. 

 

 

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: