Wireless Access

Right now I have a large subnet servicing multiple locations. I want to break up the locations into their own individual subnets.

 

I have a vlan configured on the vap, and I imagined changing that might work. BUT I also realized I am using clearpass and sending a role that has a vlan attached to it back to authenticated users.

 

What takes priority? Do I need to make multiple roles? I figured multiple VAPs would be the first step to setting this up. But what about roles? Do I need to create user roles for each location?

Do you currently have a VLAN assignment under the user-role

Yes I do. The roles have VLAN ID assigned.

If every location will have its own AP-Group/VAP then you can get away from assigning the VLAN at the user-role level and just do it on the VAP

The other option is to send that VLAN from ClearPass based on the AP-Group/Location

So I can see how that would work with the corporate network and the guest network. But we have apple TV that joins guest network (non-802.1x) and gets a role from clearpass to have the same vlan as corporate network.

 

So it using clearpass the better method? Can you direct me to documentation on setting that portion up? Is it not ideal to assign the vlan based on user role? Obviosuly I'd like the least amount of complexity possible because this network is scaling rapidly.

Do you need different VLANs for your AppleTV based on the location too?

Doing it at the user-role level is not a bad practice is just wouldn't work for what you are trying to do

Yes I'd like to have the AppleTVs show as the subnet of the location. So it needs to be different based on the location as well.

In that case you will need to send the VLANs for each location from ClearPass using the Aruba:Aruba-AP-Group attribute as a condition to get the right VLAN for the AppleTVs since the Guest VAP has two uses cases (Visitors and Headless Devices)

Visitor/Guest will be fine with the VLAN assigned in the VAP

So just for clarity. I can put VLAN in VAP for the corporate network and the guest network.

 

Then for the AppleTVs I assign a vlan based on location (ap group)?

So I should remove vlan from the User Roles all together?

Correct

So this is now a further clearpass question. Is there a way to accomplish this without needing to create an enforcement policy for each location? 

I see the way to send vlan is Role Map to check the ap group, then an enforcement profile to return the vlan for the subnet.

Is there a more effecient way?

You could put those appletvs in the same guest vlan you are planning to use in the VAP and create an airgroup policy you restrict it to only be visible by the staff user-role

Otherwise will need to create an enforcement policy for every location to return the internal VLAN for the site the appletv is located

Get Outlook for iOS