Wireless Access

Dear,

Situation: Our customer wants to have the enforce machine authentication enabled on their 7000series controllers, they are for the moment in AOS 6.3.1.8

User-only authenticated has to fall in to vlan x

Machine-only authenticated has to fall in vlan y

User and Machine authenticated has to fall in vlan z

We configured this with Role based vlans; so when a user is authenticated he is getting the role user with vlan x attached to this role. When a machine is authentication he gets role machine with vlan y attached to it, and same for user and machine role full with vlan z attached to it.

Well this is not working anymore in 6.3; we get the following:

User-only : falls in default vlan configured on the VAP (if none configured, the default vlan of the controller)

Machine-only: falls in default vlan configured on the VAP (if none configured, the default vlan of the controller)

user and machine: falls in the correct vlan z.

This seemed to be buggy in my opinion so I opened a ticket with TAC. After a few days of debugging) they have let me know that this is expected behaviour. Aruba is probably even going to remove the Role Based Vlan completely in 6.5 following our Aruba representive.

TAC: RBV (role-based VLANs) from machine-authentication-default-machine-role and machine-authentication-default-user-role are deprecated beginning in 6.3.

We tried with sending the Aruba VSA's back from the NPS server, but then we have the same behaviour and even the machine and user auth falls in the vlan that we have sent back from the last authentication that happened (in this case the user authentication so vlan x) So this is also not an option.

So now my question: can we implement the requested configuration on an other way?

We know that Clearpass can handle this with authentication caching, but this is not an option for the moment.

Does MS NPS also do some sort of authentication caching like clearpass does? Something else maybe?

Kind regards,

What is the purpose of the VLANs other than some sort of ACL?  Is there a business need for it?  If not, and the reasoning is being restrictive with network access, then consider just using Aruba roles here vs VLAN segmentation.  

The first 2 (user machine seperatly)  are vlans that both end up on his firewall.

The last vlan (full) is directly a full routed vlan that ends on coreswitch and doesn't pass the firewall

The customer wants to define all access from the first two on his firewall. He does not wish to do firewall configuration on the controller. He just wants that the controller drops the user in the 3 different vlans refering to on how they are authenticated, for the rest the controller has to have an allowall. (customers request)

Since this was working during a POC in earlier versions, he wants to do it like this.

OK...Thanks for the answer.  Can you try using a Server Derived Rule to assign VLAN Z?  

It is part of the server group profile in the controller.  Here is an excerpt from the user guide:

Thanks for your reply, but unfortunately we already tried this without succes.

That's what I meant with the following:

We tried with sending the Aruba VSA's back from the NPS server, but then we have the same behaviour and even the machine and user auth falls in the vlan that we have sent back from the last authentication that happened (in this case the user authentication so vlan x) So this is also not an option

it is a while ago when I configured it, but I believe it was like this with the VSA's:

machine only falls in vlan y (correct)

user only falls in vlan x (correct)

and because with machine and user auth they last are authenticated via the user role, they fall in vlan x (not correct)

what means if we give it the full routed vlan, user only will fall into the full routed vlan => Not  OK

Server derivation had the same result like sending back with Aruba VSA's this because the server doesn't do the authentication caching, it doesn't know the machine already is authenticated.

Yeah - you really need Clearpass for this I believe