Wireless Access

Reply
New Contributor
Posts: 3
Registered: ‎12-17-2014

Server Derivation

Dear All,

 

 

              New to Aruba, coming from Cisco...i have 1 SSID for example, WIFI and i want the Corporate employess and guests to connect to this SSID, whatever authentication happens, it will be sent to Clearpass box..and based on user credential the Clearpass will put the user in the right vlan.

 

 

            And based on that Aruba controller will do the routing. I tried to look for help on the internet, but i was not content....Is there any document that walks you step by step on how to do it or if someone can explains it to me.

 

 

Appreciate your help and support.

 

 

Thanks,

 

Sam

Guru Elite
Posts: 8,774
Registered: ‎09-08-2010

Re: Server Derivation

Your guest users have corporate credentials?

Sent from Nine<>

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
New Contributor
Posts: 3
Registered: ‎12-17-2014

Re: Server Derivation

Thanks for replying, the guests will have a user name and password different than employees.

 

and baswed on that the Clearpass will put user in right vlan.

Valued Contributor II
Posts: 804
Registered: ‎12-01-2014

Re: Server Derivation

Hi friend,

 

I can help you on this,

 

Here, for any authenticated user a role should be assigned and the user traffic will be controlled according to the policy( Firewall policy) mapped to that role.

 

In Aruba we can assign a role in 2 different ways,

 

1. Through AAA profile : dot1x default role

2. Through server ( Clearpass or any other server) generally called SDR or VSA

 

Priority will be given to SDR/VSA, if SDR is not configured, user will be mapped to the role configured in AAA profile ( dot1x Authentication default role)

 

SDR1.JPG

 

If SDR is configure, authenticated user will be assigned a role returned by the server.

here server will return the role name ( can return VLAN also) and we should ensure that the role is defined in the controller ( to create  customised roles controller should have PEFNG license installed)

 

we can configre SDR as shown under :

 

sdr2.JPG

Here, as per the matching condition user will be assigned to a role ( or a VLAN)

 

How to create a roles and policies in Aruba controller :

sdr5.JPG

 

Ways of assigning Role to an Authenticated user :

 

srd3.JPG

 

What is the flow of role assignment :

 

sdr4.JPG

How to configure SDR ( Server derived Role ) :

 

sdr6.JPG

 

Inorder to achieve the above, we should have configured the server properly and which is very similar to Cisco :)

 

Hope you got some Idea,

 

Please feelfree to come back if any further help needed on this.

 

 

 

Cheers,
Venu Puduchery,
[Is my post helped you ? Give Kudos :) ]
Guru Elite
Posts: 8,774
Registered: ‎09-08-2010

Re: Server Derivation

If you are using ClearPass, there is no need to use Server-derived rules in the controller.

Are you already doing 802.1X with ClearPass right now? Can you post some screen shots of your service?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP
Posts: 315
Registered: ‎04-03-2014

Re: Server Derivation

[ Edited ]

Welcome over to the bright side :)

 

How do you differentiate your guest users from your corporate users? Are the corporate users in their own source (Active directory for example) and the guest users in Clearpass guest repository?

 

Or are guests and corporate users in the same authentication source and you differentiate on for example group membership?

 

Depending on this you want to define role mapping policies and enforcement profiles that classifies who´s a guest and who´s a corporate user and then enforce the right role/vlan to be returned to the controller.

Christoffer Jacobsson | Aranya AB
Aruba: ACMX #537 ACCP | CWNP: CWNA CWDP CWSP
New Contributor
Posts: 3
Registered: ‎12-17-2014

Re: Server Derivation

Thanks so much for you and everyone else who was trying to help. i followed the steps and its working now.

Search Airheads
Showing results for 
Search instead for 
Did you mean: