Wireless Access

Reply
MVP

vlan derivation - any solution left?

Breaking my head over this.. did I finaly get something I cannot solve with Aruba products?

 

We have a need to do machine and user authentication on an 802.1X SSID.

The problem is however is that we need to give different vlans for machine-only, user-only and full-auth'ed clients using MS NPS.

 

Apparently 6.3 changed things up a bit and I can no longer return aruba-user-vlan vsa for user-only and/or machine-only.

Also user-role based vlans are not possible (anymore?). 

  • Role Based VLANs from the intermediate Machine Roles “Machine Authentication: Default Machine Role” and “User Authentication: Default User Role” will not be honored. The only state where derivation of any type is honored for the client is when it passes both Machine-auth && user-dot1x auth.

So am I right in thinking Aruba no longer has a solution to give different vlans for machine-only or user-only authenticated users? Or has anyone here have an idea how to circumvent this?

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Guru Elite

Re: vlan derivation - any solution left?

My only contribution is that this is possible with ClearPass because the user/machine auth piece is offloaded.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP

Re: vlan derivation - any solution left?

Unfortunately it isn't. Even with clearpass this is no longer possible.

 

Clearpass is a fix for the full-auth clients but for that 802.1X Authentication Default Role I can still use the role based vlans. Just the intermediate machine and/or user roles I can no longer use role based vlans and/or vsa's!

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Guru Elite

Re: vlan derivation - any solution left?

I have this configured with ClearPass without any issues.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP

Re: vlan derivation - any solution left?

mmm,  now that you mention it that does seem logical since with clearpass you wouldn't enforce machine auth on the controller and those machine -auth and user-auth roles don't come in to play.

 

Thanks!

 

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Guru Elite

Re: vlan derivation - any solution left?

Exactly. Turning off enfore machine auth adds a lot of flexibility on the ClearPass side using the built-in [User Authenticated] and [Machine Authenticated] role contexts.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: