Wireless Access

We have used Aruba for a few years now but only recently have we purchased and played with the RAP products.  I have them working with our controller, but I have had a small problem with them.

 

As it stands, I have the secure ports on the RAP5 and RAP2 set to MAC authenticate against our NAC to ensure that no unregistered devices are able to utilize their wired ports.  When an unregistered device plugs in, they are given the 'unregistered' role and are able to access the appropriate registration pages.  After they complete the registration process, it then gives them their appropriate role ('employee' for example).  However, they are still in the VLAN assigned to the 'unregistered' role until they either reset the device or physically unplug/replug their ethernet cable.  Releasing and renewing the IP (Windows) has no effect.

 

I'm guessing it has something to do with the link-state on the RAP's port, but I'm not sure.  This isn't a deal breaker by any means, but I was wondering if the RAP is acting as intended or if there is something I can do to smooth out the registration process for the end-user.

The physical device (laptop) will not re-ip unless the link to the port on the access point is bounced, so you need to unplug and then replug to make this happen.  How are you changing the role of the device?

 

During authentication, the role is pulled from our NAC and it is receiving the proper role ('employee' for example).  My only issue was with the fact that it requires the user to either restart or unplug/reconnect to the RAP after registration (when using one of the RAP's wired ports).  This isn't necessary when registering over wireless so I was wondering if this was abnormal.  The executable that we use for registration essentially forces the NIC to release/renew after authentication/registration but it still pulls an address from the registration VLAN and will continue to do so until the link-state goes down and back up again (even though the device is showing up with the proper role on the Aruba controller).

In most situations, any device using our RAPs will be registered in advance so this isn't really a big deal.  I just want to make sure that I'm not overlooking something that could simplify the registration process when using a RAP.

When you have a wired device connecting on shared port, even if you change the role of the device, you must disconnect to change the VLAN, unfortunately.

 

Even solutions that do this VLAN change on wireless, also blacklist the device temporarily.

 

Okay, that's fine.  I just wanted to ensure that it was working as intended.  I think that having my users restart their machine after registration on a RAP would be the simplest way to handle this (which is fine by me).  Thanks for the responses CJ.

One last thing, does this also apply to secure ports on an S3500?

Not sure in the 3500.

What you might want to do is just change the role and not the vlan.... if the role is registration, they get the portal. If they unplug or you use XML-api or coa to change the role, the used will then be able to pass traffic without unplugging.

This is definitely something that I will have to consider.  Thanks again for the assistance.