Dear,
Situation: Our customer wants to have the enforce machine authentication enabled on their 7000series controllers, they are for the moment in AOS 6.3.1.8
User-only authenticated has to fall in to vlan x
Machine-only authenticated has to fall in vlan y
User and Machine authenticated has to fall in vlan z
We configured this with Role based vlans; so when a user is authenticated he is getting the role user with vlan x attached to this role. When a machine is authentication he gets role machine with vlan y attached to it, and same for user and machine role full with vlan z attached to it.
Well this is not working anymore in 6.3; we get the following:
User-only : falls in default vlan configured on the VAP (if none configured, the default vlan of the controller)
Machine-only: falls in default vlan configured on the VAP (if none configured, the default vlan of the controller)
user and machine: falls in the correct vlan z.
This seemed to be buggy in my opinion so I opened a ticket with TAC. After a few days of debugging) they have let me know that this is expected behaviour. Aruba is probably even going to remove the Role Based Vlan completely in 6.5 following our Aruba representive.
TAC: RBV (role-based VLANs) from machine-authentication-default-machine-role and machine-authentication-default-user-role are deprecated beginning in 6.3.
We tried with sending the Aruba VSA's back from the NPS server, but then we have the same behaviour and even the machine and user auth falls in the vlan that we have sent back from the last authentication that happened (in this case the user authentication so vlan x) So this is also not an option.
So now my question: can we implement the requested configuration on an other way?
We know that Clearpass can handle this with authentication caching, but this is not an option for the moment.
Does MS NPS also do some sort of authentication caching like clearpass does? Something else maybe?
Kind regards,