Security

Hi, I'm trying to set up a function that redirects BYOD’s to a different VLAN than PC’s logging into the same SSID. I have set up a user rule for BYOD’s ant that is working quite right. The BYOD’s get the correct user rule and the PC’s the rule that they should have. The problem starts when I set the BYOD rule to use another VLAN than the authenticated VLAN rule. Then the BYOD’s fails to log inn to the SSID. I have tried to set the other way around so the PC’s are send to another VLAN than the authenticated VLAN rule, and then the PC get the correct IP-address, but it are unable to get any resources on the network. It’s logged in, but do not work. The authentication type is 802.1X. Anyone have a clue what I have done wrong?   :catsad:

---

@Tom.christensen@nordialog.no wrote:

Hi, I'm trying to set up a function that redirects BYOD’s to a different VLAN than PC’s logging into the same SSID. I have set up a user rule for BYOD’s ant that is working quite right. The BYOD’s get the correct user rule and the PC’s the rule that they should have. The problem starts when I set the BYOD rule to use another VLAN than the authenticated VLAN rule. Then the BYOD’s fails to log inn to the SSID. I have tried to set the other way around so the PC’s are send to another VLAN than the authenticated VLAN rule, and then the PC get the correct IP-address, but it are unable to get any resources on the network. It’s logged in, but do not work. The authentication type is 802.1X. Anyone have a clue what I have done wrong?   :catsad:

---

For now, this only works with an "open" ssid with no encryption.  It is an open issue and will certainly take some time fix, in my estimation.

Sorry that is the case.  Have you tried to use "enforce machine authentication" to accomplish the same thing?

Could you potentially leverage RADIUS VSA's returned from your 802.1x terminating RADIUS server. For example, if your PC's pass machine authentication (assuming they are domain computers) allow them to connect to the standard authenticated VLAN. If the device fails machine machine and hence is a BYOD then return the Aruba-User-VLAN attribute with the desired VLAN id.

Hope this helps

Cam.

does it work with an psk environment?

i have a similar problem. Devices connect with psk to the wireless lan. but the user rule does stay to "logon" (the initial role).

Is it correct to configure "User Derivation Rule" in the AAA Profile for the specific ssid?

What does "Mac Authentication" in this case mean?

---

@FlorianKueck wrote:

does it work with an psk environment?

 

i have a similar problem. Devices connect with psk to the wireless lan. but the user rule does stay to "logon" (the initial role).

Is it correct to configure "User Derivation Rule" in the AAA Profile for the specific ssid?

What does "Mac Authentication" in this case mean?

 

 

---

FlorianKueck,

You cannot change a VLAN using a DHCP fingerprinting user derivation rule for now.  A bug is currently open for this.

You can use mac authentication to change the VLAN of a device, but that would involve you entering in all mac addresses manually so this is not practical.

ok thank you. so i will have to wait.

We will update the thread if something changes.

Thank you. I'll look forward to a update.

---

@Tom.christensen@nordialog.no wrote:

Thank you. I'll look forward to a update.

---

Tom,

To be clear, using DHCP fingerprinting to change a user's VLAN works only with NO encryption.  It does NOT work with 802.1x or Preshared key or any other type of encryption.  It is WITH encryption that it does not work.

hi

i found a way to solve the problem and it is working:

You must configure an AAA Profile with user a derivation rule. (i think thats the usual way for the device fingerprinting.)

Then:

Configuration => Security =>Access Control

Creat a new Rule with you specific firewall configuration.

Choose the VLAN you want to assigne to a client wich matches into this rule unter "Role VLAN ID".

You have to create one rule for each vlan you want to assign.

Name the rule e.g. SET VLAN 4

Afterwards you have to configure the user derivation rule under:

Configuration => Security => Authentication => User Rules

Choose your specified rule, or create a new one with the dhcp device fingerprinting rules.

You choose your matching conditions and don't change the "Set Type". It should be "Role"

Under "Roles" you choos the mentioned above Role e.g. SET VAN 4.

So you should be able to derivate different vlans to different types of clients.

I tried it and it is working fine!

i have tried implementing VLAN change with MAC authentication and it still not working. i get the same error like when using DHCP fingerprinting. and yes it works fine with open security.

---

@liericky wrote:

i have tried implementing VLAN change with MAC authentication and it still not working. i get the same error like when using DHCP fingerprinting. and yes it works fine with open security.

---

Using DHCP fingerprinting to change a VLAN only works on an open SSID today.  Changing a VLAN of a device using user derivation rules or radius should work, regardless of the encryption.  What rule are you using to change the VLAN of the user with mac authentication?

i use WPA-Enterprise EAP-TLS.

i cannot change VLAN using DHCP fingerprinting as you said earlier.

but i also cannot change VLAN with MAC which you said it should be able to.

(both work fine with open security)

with MAC authentication - user derivation - EAPTLS, i cannot change VLAN either with VLAN change or role change with different VLAN in it.

i already said that aruba still can change vlan with mac auth to my cust but now that i cant, i have to trick the vlan change with new role in the NPS server.

i heard that this last oct, aruba is going to test the new OS, any updates on when it will be released?

---

@liericky wrote:

i use WPA-Enterprise EAP-TLS.

 

i cannot change VLAN using DHCP fingerprinting as you said earlier.

 

but i also cannot change VLAN with MAC which you said it should be able to.

 

(both work fine with open security)

 

with MAC authentication - user derivation - EAPTLS, i cannot change VLAN either with VLAN change or role change with different VLAN in it.

 

i already said that aruba still can change vlan with mac auth to my cust but now that i cant, i have to trick the vlan change with new role in the NPS server.

 

i heard that this last oct, aruba is going to test the new OS, any updates on when it will be released?

---

Turn on user debugging:

config t

logging level debug user

Try to associate the user, then type "show log user 50" to see why it does not change VLAN.

We can then examine it from there.  There are a number of ways to do mac authentication, in addition to the "layer 2 failthrough" parameter which will allow a device that fails mac authentication to connect.

It is working with wpa2 psk! For sure!

it is not working if i put the "SET TYPE" in the User Rule to "VLAN", trying to assigne the VLAN at that time.

Hi, yes it works just fine as long as we are not using encryption. But in this case we have to use encryption (WPA-2 Enterprise with a Windows 2008 server).   

so..we should wait for your update right?

can i receive official note from aruba regarding this issue? 

If you want, you can watch this thread, and we will update it.

Please note that there are other ways to accomplish this without that specific feature.

Hi Colin & Co

Is there an estimate on when this bug is sorted? Any progress update?

Regards,

Tommy