Wireless Access

Reply
Frequent Contributor I
Posts: 81
Registered: ‎10-15-2012

Role Based Vlans and enforce machine authentication in AOS 6.3

Dear,

 

Situation: Our customer wants to have the enforce machine authentication enabled on their 7000series controllers, they are for the moment in AOS 6.3.1.8

User-only authenticated has to fall in to vlan x

Machine-only authenticated has to fall in vlan y

User and Machine authenticated has to fall in vlan z

 

We configured this with Role based vlans; so when a user is authenticated he is getting the role user with vlan x attached to this role. When a machine is authentication he gets role machine with vlan y attached to it, and same for user and machine role full with vlan z attached to it.

Well this is not working anymore in 6.3; we get the following:

User-only : falls in default vlan configured on the VAP (if none configured, the default vlan of the controller)

Machine-only: falls in default vlan configured on the VAP (if none configured, the default vlan of the controller)

user and machine: falls in the correct vlan z.

 

This seemed to be buggy in my opinion so I opened a ticket with TAC. After a few days of debugging) they have let me know that this is expected behaviour. Aruba is probably even going to remove the Role Based Vlan completely in 6.5 following our Aruba representive.

TAC: RBV (role-based VLANs) from machine-authentication-default-machine-role and machine-authentication-default-user-role are deprecated beginning in 6.3.

 

We tried with sending the Aruba VSA's back from the NPS server, but then we have the same behaviour and even the machine and user auth falls in the vlan that we have sent back from the last authentication that happened (in this case the user authentication so vlan x) So this is also not an option.

 

So now my question: can we implement the requested configuration on an other way?

We know that Clearpass can handle this with authentication caching, but this is not an option for the moment.

Does MS NPS also do some sort of authentication caching like clearpass does? Something else maybe?

 

Kind regards,

Thomas
ACMX#370 ACCP

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Aruba
Posts: 1,377
Registered: ‎12-12-2011

Re: Role Based Vlans and enforce machine authentication in AOS 6.3

What is the purpose of the VLANs other than some sort of ACL?  Is there a business need for it?  If not, and the reasoning is being restrictive with network access, then consider just using Aruba roles here vs VLAN segmentation.  

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Frequent Contributor I
Posts: 81
Registered: ‎10-15-2012

Re: Role Based Vlans and enforce machine authentication in AOS 6.3

The first 2 (user machine seperatly)  are vlans that both end up on his firewall.

The last vlan (full) is directly a full routed vlan that ends on coreswitch and doesn't pass the firewall

 

The customer wants to define all access from the first two on his firewall. He does not wish to do firewall configuration on the controller. He just wants that the controller drops the user in the 3 different vlans refering to on how they are authenticated, for the rest the controller has to have an allowall. (customers request)

Since this was working during a POC in earlier versions, he wants to do it like this.

Thomas
ACMX#370 ACCP

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Aruba
Posts: 1,377
Registered: ‎12-12-2011

Re: Role Based Vlans and enforce machine authentication in AOS 6.3

OK...Thanks for the answer.  Can you try using a Server Derived Rule to assign VLAN Z?  

 

It is part of the server group profile in the controller.  Here is an excerpt from the user guide:

 

When you configure a server group, you can set the VLAN or role for clients based on attributes returned for the client by the server during authentication. The server derivation rules apply to all servers in the group. The user role or VLAN assigned through server derivation rules takes precedence over the default role and VLAN configured for the authentication method.

 

NOTE: The authentication servers must be configured to return the attributes for the clients during authentication. For instructions on configuring the authentication attributes in a Windows environment using IAS, refer to the documentation at http://technet2.microsoft.com/windowsserver/en/technologies/ias.mspx

 

The server rules are applied based on the first match principle. The first rule that is applicable for the server and the attribute returned is applied to the client, and would be the only rule applied from the server rules. These rules are applied uniformly across all servers in the server group. 

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Frequent Contributor I
Posts: 81
Registered: ‎10-15-2012

Re: Role Based Vlans and enforce machine authentication in AOS 6.3

[ Edited ]

Thanks for your reply, but unfortunately we already tried this without succes.

That's what I meant with the following:

 

We tried with sending the Aruba VSA's back from the NPS server, but then we have the same behaviour and even the machine and user auth falls in the vlan that we have sent back from the last authentication that happened (in this case the user authentication so vlan x) So this is also not an option

 

it is a while ago when I configured it, but I believe it was like this with the VSA's:

machine only falls in vlan y (correct)

user only falls in vlan x (correct)

and because with machine and user auth they last are authenticated via the user role, they fall in vlan x (not correct)

 

what means if we give it the full routed vlan, user only will fall into the full routed vlan => Not  OK

 

Server derivation had the same result like sending back with Aruba VSA's this because the server doesn't do the authentication caching, it doesn't know the machine already is authenticated.

Thomas
ACMX#370 ACCP

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Aruba
Posts: 1,377
Registered: ‎12-12-2011

Re: Role Based Vlans and enforce machine authentication in AOS 6.3

Yeah - you really need Clearpass for this I believe

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Search Airheads
Showing results for 
Search instead for 
Did you mean: