Wireless Access

HI,

 

We faced an issue while using CoA from ClearPass with MAC OSx, in clearpass i have allowed access to all 802.1x clients that have correct ceridentials to a guest vlan with limited access to get the device fingerprinting, then CPPM auto CoA the clients after a success fingerprinting and then clients reauthenticate again and match the corret OS policies.

 

This works fine except after CoA the MAC OSx clients do not release the old IP and get new IP from the new VLANs after CoA, they retain the old IP which is not valid anymore.

 

Anyone faced the samething ? I found the same issue reported with Cisco and ISE but couldn't find an article or post from Aruba.

 

Android and IOS clients work fine with no issues.

 

Kind Regards

Sorry I can't answer that, but that is really neat what you've done there.  Out of curiosity, how you doing the CoA?  Is it just a short session timeout?

 

Hope you manage to get it sorted for those MacOSx clients.

 

:smileyhappy:

 

 

Enabled "Profile Endpoints" under services and configured it to be triggered with any fingerprint update

 

Then under service i have created a policy on the top to match any endpoint that "fingerprint" doesn't exist and assign guest VLAN with guest logon limitation so that DHCP & HTTP will work and the profile will get updated, then CPPM does the rest of the magic :D

 

works fine it takes around 5 to 10 secs for the whole thing to work and CoA to kick in and reauthenticate the client again with the correct policy matching the OS.

 

Since the controller has a stateful firewall, why not just put them in the user VLAN and configure restrictions in the controller?

Different VLANs depending on the group and OS, so there isn't a default VLAN for all :(

Is this a Cisco WLC or switch ?

Aruba 7210 running 6.4.1

#7210

Why dont you create a enforcement profile that sends the same VLAN the device will use again but in the role only allow them to get DHCP and deny everything else that way you don't have to keep moving them from one VLAN to another .

 

The other thing you could do is set a very short lease time for the guest VLAN the device will during the profiling process which should be very short amount of time

 

Different VLANs for different users and OSs so cannot set the correct VLAN in the profiling phase since the OS is not populated until fingerprinting is done.

 

Tried the lease time set to 1 min still didn;t help

What's the reason for putting them in separate vlans instead of user roles?

seperate vlans since the firewalls are also filtering through IPs and subnets and different gateways and firewalls and internet lines 

this is a known clientside issue, some clients simply don't like to be put in another VLAN during an active session and don't automatically DHCP again.

 

i solved this once for MAC OS with a the onguard client doing an interface bounce. but beyond that im afraid there is no way around it.