Hello all,
I'm working on a project to implement a remediation VLAN for clients connecting to our RAP-3's wired ports. A client connected to to a RAP-3 should land in our production network VLAN unless it fails to pass or respond via EAP-TLS 802.1x security used in conjuction with a ClearPass server.
I talked with Aruba support, and they claimed there was no VSA or configuration for changing VLANs for a wired port on an AP. Without getting to deep into the configuration, here's a chunk below.
user-role authenticated
vlan *prod vlan*
access-list session global-sacl
access-list session apprf-authenticated-sacl
access-list session ra-guard
access-list session allowall
access-list session v6-allowall
user-role remediation
vlan *remediation vlan*
access-list session global-sacl
access-list session apprf-remediation-sacl
access-list session dhcp-acl
access-list session dns-acl
ap wired-port-profile "remediation-dot1x"
wired-ap-profile "vlanprod"
aaa-profile "remediation"
ap wired-ap-profile "vlanprod"
wired-ap-enable
switchport access vlan *prod VLAN id*
The initial role is remediation, and the dot1x post auth role is authenticated. Clients that fail 802.1x remain in the remediation role and are placed in the remediation VLAN. Client that pass are then placed into the prod network. This is actually working pretty well despite one hiccup!
Our PCs that should pass authentication will land usually land in the remediation role/vlan for a few seconds and pull an IP in that network, then flip to the authenticated role and shortly after grab a production IP. This works consistently when unplugging/plugging in the cable, and shutting down and booting the PC back up.
The issue occurs when doing a reboot. About 50% of the time the PC will follow the same process as above and end up in the production VLAN with a production IP - no issues. The other 50% of the time, the PC will land in the remediation role, pull a remediation IP and keep it even after getting pushed to the authenticated role. The prod IP won't ping, the remediation IP won't ping, and an ip release/renew doesn't make the client pull a new IP in the production VLAN even though it shows that it's in the authenticated role. It's like it hangs out in some odd "limbo" state until the PC is either rebooted again, or the ethernet cable is unplugged/plugged in again. Aruba TAC hasn't been able to assist on why this is happening.
I think it has something to do with the ammount of time it takes for the client to drop out of the user-table (user idle-timeout)? If I reboot a client, then do an aaa user delete mac *macaddress* before it boots back up, it seems to consistently come up and land in the production role and pull a production IP without any issues.
I'm wondering if anyone else has run into this issue and has a solution. I'm also wondering if anyone else has implemented a remediation VLAN or similar configuration with RAP-3s and found success.
Thanks!