Wireless Access

Breaking my head over this.. did I finaly get something I cannot solve with Aruba products?

 

We have a need to do machine and user authentication on an 802.1X SSID.

The problem is however is that we need to give different vlans for machine-only, user-only and full-auth'ed clients using MS NPS.

 

Apparently 6.3 changed things up a bit and I can no longer return aruba-user-vlan vsa for user-only and/or machine-only.

Also user-role based vlans are not possible (anymore?). 

• Role Based VLANs from the intermediate Machine Roles “Machine Authentication: Default Machine Role” and “User Authentication: Default User Role” will not be honored. The only state where derivation of any type is honored for the client is when it passes both Machine-auth && user-dot1x auth.

So am I right in thinking Aruba no longer has a solution to give different vlans for machine-only or user-only authenticated users? Or has anyone here have an idea how to circumvent this?

My only contribution is that this is possible with ClearPass because the user/machine auth piece is offloaded.

Unfortunately it isn't. Even with clearpass this is no longer possible.

 

Clearpass is a fix for the full-auth clients but for that 802.1X Authentication Default Role I can still use the role based vlans. Just the intermediate machine and/or user roles I can no longer use role based vlans and/or vsa's!

I have this configured with ClearPass without any issues.

mmm,  now that you mention it that does seem logical since with clearpass you wouldn't enforce machine auth on the controller and those machine -auth and user-auth roles don't come in to play.

 

Thanks!

 

Exactly. Turning off enfore machine auth adds a lot of flexibility on the ClearPass side using the built-in [User Authenticated] and [Machine Authenticated] role contexts.