Wireless Access

Good Afternoon,

We have two SSID's based on the 802.1x authentication, one machine authentication and other user authentication, both authenticated via RADIUS, we have a rule that authenticates both the one and the other.
If we have the SSID's
Corp and Guest.
The corp has the vlan 300 assigned to it and the Guest has the vlan 400 assigned. Depending on the SSID you get an ID or another.
When I get on the AAA profile Corp. and cast a role to be assigned if the device succeeds to authenticate the user, he distributes the vlan 300 and not 400. How do I assign it to vlan 400 if the user can authenticate the Machine Authentication rule: Default User Role of My profile 802.1x?
If put in the distribution scope of my VAP_Corp. VLAN 400 it randomly distributed addresses of two VLANs.
If the access-control I put the Role VLAN ID to vlan 400 in the same rule that it meets authenticated when he simply ignores and continues distributed that is marked in VAP_Guest
Any suggestions?
I have the version 6.3.1.13 ArubaOS

You can assign VLANs in various ways.   From your question,  I could not be certain of how you are doing it vs. how you want to do it.

- Assign a default VLAN in the virtual AP profile (this will be the default for the SSID)

- Assign a VLAN as part of a user role (this will override the default VLAN in the virtual AP)

- Assign a VLAN based on an Aruba VSA from RADIUS (RADIUS makes a decision and assigns an appropriate VLAN by returning attributes to the controller)

- Define user or server derived rules on the controller to set a VLAN for specific devices

You can also run the following command to determine how/why the client was assigned a particular VLAN:

show user ip x.x.x.x

Look for the VLAN Derivation field.

Hi Clembo, thanks for the reply.

I'll try to explain how we use here.
The issue of vlan distribution set up in our VAP but the question is precisely this, I read in the manual that when configuring the VLAN ID ROLE in USER ROLES it overrides the vlan that is configured on my VAP until you mentioned it. But that's not what's happening. He is distributing the vlan that is in the VAP, if I delete the vlan of VAP and leave only the USER ROLE it does nothing.
In my profile 802.1x own two rules, they are: Machine Authentication assigns the rule X and User Authentication assigns Y. Within rule of rule Y for example I put ROLE VLAN ID 300 he did not attribute this vlan when the user authenticates to Atenticação User. I'm already thinking of doing is VLAN change in my radius server, but I'd still rather leave everything centralized in my controler.

---

@Rafap wrote:

Hi Clembo, thanks for the reply.

I'll try to explain how we use here.
The issue of vlan distribution set up in our VAP but the question is precisely this, I read in the manual that when configuring the VLAN ID ROLE in USER ROLES it overrides the vlan that is configured on my VAP until you mentioned it. But that's not what's happening. He is distributing the vlan that is in the VAP, if I delete the vlan of VAP and leave only the USER ROLE it does nothing.
In my profile 802.1x own two rules, they are: Machine Authentication assigns the rule X and User Authentication assigns Y. Within rule of rule Y for example I put ROLE VLAN ID 300 he did not attribute this vlan when the user authenticates to Atenticação User. I'm already thinking of doing is VLAN change in my radius server, but I'd still rather leave everything centralized in my controler.

---

That's exactly the same behaviour what i recognize in similar setup.

Was this problem ever solved?

Anybody any idea?

Florian,

Do you have "Enforce Machine Authentication" enabled?

Do you mean Enforce Machine Authentication in AAA Profile => 802.1X Authentication?

It is not configured.

sh user ip x.x.x.x

shows following output:

Role: authenticated_klasse_at_netz (how: ROLE_DERIVATION_L3_ARUBA_VSA), ACL: 125/0
Authentication: Yes, status: started, method: Web, protocol: PAP, server: cpg
Bandwidth = No Limit
Bandwidth = No Limit
Role Derivation: ROLE_DERIVATION_L3_ARUBA_VSA
VLAN Derivation: Default VLAN

Vlan Derivation should be from user role and not default which is configured in vap.

For information the user role authenticated_klasse_at_netz is assigne to another vlan than default vlan.

No matter if clients will recognize vlan change I am confused why vlan is not derivde by user role.

What happens when you put a VLAN in the VAP?  Does the user role VLAN get applied?

In this setup there is a vlan asssigned to vap ssid.

This is the vlan where clients are connected to whole time instead of changing it after authentication.

FlorianKueck,

So is the problem that:

- Client Authenticates

- Client is assigned a role with a VLAN

- Client ends up in the VAP Vlan instead of the role VLAN

How is the client assigned the role upon authentication?

Yes exactly that's what happens.

Client ist authenticating via captive portal against CPPM.

CPPM sends user role back to controller.

User Role is assigned correctly "authenticated_klasse_at_netz" after user logged in with username password.

You really should not switch VLANs in Captive Portal, because the client cannot tell that the VLAN has changed; the link does not go down.  If you were doing this with 802.1x, where the VLAN change occurs before the client gets an ip address, you would have a chance.

As i mentioned before. I now, that this would be another problem to deal with (e.g. force client after authentication to deauth). But i want to understand where my mistake is. Why client does not get mentioned vlan.

I would expect client would change vlan and i would see it in output. But thats not happenig. 

Are you returning a role from ClearPass or are you setting the role from the controller?  Did you try a Aruba-User-VLAN VSA from ClearPass, instead?

I tried and it did not work.

Did you enable user-debug for that user and examine the log?

Yes i did. And i see that vlan 516 is assigned instead of vlan 2. As seen in the attachement.