Wireless Access

Reply
Contributor II
Posts: 125
Registered: ‎05-19-2013

captive portal role derivation and vlan assignment

Hi all.

 

I am trying to configure guest network with open ssid and using internal captive portal. authentication is done in clear pass and authenticated role is pushed to controller from clearpass. 

 

Before authentication role is logon and 1001 is the vlan assignment to the role. I am getting the IP addres from 1001.

After authentication role is guest and 203 is vlan assignment to the role but i am unable to get the ip address  and doesnt change from 1001.

 

Is it possible to change vlans when we are doing with L3 authentication??

Guru Elite
Posts: 21,279
Registered: ‎03-29-2007

Re: captive portal role derivation and vlan assignment

Not possible with Captive Portal, because the physical devices does not know that the layer 2 network has changed in the background.  There is a way, where you can give a DHCP lease on the initial VLAN of 30 seconds or less and the client will re-dhcp and get an ip address on the new VLAN, but it is not practical.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II
Posts: 125
Registered: ‎05-19-2013

Re: captive portal role derivation and vlan assignment

[ Edited ]

I am able to get the new role .


cjoseph wrote:

Not possible with Captive Portal, because the physical devices does not know that the layer 2 network has changed in the background.  There is a way, where you can give a DHCP lease on the initial VLAN of 30 seconds or less and the client will re-dhcp and get an ip address on the new VLAN, but it is not practical.



Actually i have tried to release and renew the ip address but still it didnt changed.

 

Guru Elite
Posts: 21,279
Registered: ‎03-29-2007

Re: captive portal role derivation and vlan assignment

This is after the client has authenticated via captive portal?  Are you sure that you are allowing DHCP traffic in the post-authentication role?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II
Posts: 125
Registered: ‎05-19-2013

Re: captive portal role derivation and vlan assignment


cjoseph wrote:

This is after the client has authenticated via captive portal?  Are you sure that you are allowing DHCP traffic in the post-authentication role?

 


For post authentication role, i have allowed all

Guru Elite
Posts: 21,279
Registered: ‎03-29-2007

Re: captive portal role derivation and vlan assignment

Does DHCP work on the new VLAN?  Does "show user-table verbose" show that the user has been switched to the new VLAN?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II
Posts: 125
Registered: ‎05-19-2013

Re: captive portal role derivation and vlan assignment

yes dhcp on controller is configured.

 

and i have checked user-table verbose. I can see role assigned but vlan is not changing.

 

Guru Elite
Posts: 21,279
Registered: ‎03-29-2007

Re: captive portal role derivation and vlan assignment

What are you using to change the vlan?


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Aruba
Posts: 1,290
Registered: ‎08-29-2007

Re: captive portal role derivation and vlan assignment

[ Edited ]

Changing vlan by specifying in the new role doesn't work for L3 authentication like captive portal. 

 

In the CLI guide for command 'user-role <role> vlan x'

 

Identifies the VLAN ID or VLAN name to which the user role is
mapped. This parameters works only when using Layer-2
authentication such as 802.1X or MAC address, ESSID, or
encryption type role mapping because these authentications
occur before an IP address is assigned. If a user authenticates
using a Layer-3 mechanism such as VPN or captive portal this
parameter has no effect.

 You could probably switch the vlan by having a server derivation rule based on an attribute returned by Clearpass, but I've not tested exactly that for captive portal.  You would still need the short initial lease as Colin mentioned though.

 

 


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACMP, ACMX #294
mclarke@arubanetworks.com
Contributor II
Posts: 125
Registered: ‎05-19-2013

Re: captive portal role derivation and vlan assignment


cjoseph wrote:
What are you using to change the vlan?
Role derivation from clear pass. and i have assigned post authenticattion vlan to that role in controller

 

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: