If we have an Aruba IAP(Instant Access Point) or any device that can tag multiple VLAN traffic and you want to authenticate that device on the Switch port either using MAC-Auth or 802.1x you can return all the tagged vlans and the untagged vlan from ClearPass.
We make use of a combination of 2 Radius attributes for this to work. The HPE-Egress-VLAN-ID(64) and also the Tunnel-Private-Group ID which is typically used to return VLANs from the Radius Server.
We have tested this with Clearpass version 6.6.9 and an Aruba-2930F running WC.16.04.0011 but this should also work with other firmware versions on the switch and CPPM as long as you are returning the attributes in the right format.
The Radius attributes we need to return for VLAN assignment are below
For tagged VLANs
||Allow egress traffic for specified VID
<tagged/untagged(0x31 or 0x32)>000<VLAN_ID (as hex)>
For Untagged VLANs
||Type of tunnel
||Tunnel transport medium
||Numeric ingress/egress VLAN ID to be assigned
Here is an example of how we arrive at a Hex value for a tagged VLAN 30 we want to return to the Switch
0x31<000><VLAN-ID in Hex> the value of 30 in Hex is 1E and we need to pad that value with another 0 making it 01E.
Finally the Hex value for a tagged VLAN 30 is 0x3100001E.
Now in ClearPass to return the HPE-Egress-VLANID attribute we need to convert the Hex value back to decimal
You can use any online tool to convert from Hex to Decimal like
and 0x3100001E converts to 822083614 in Decimal which is what we need to configure on the ClearPass.
The same attribute can be used to return multiple VLANs by sending it with appropriate values for the corresponding VLANs.
In our testing we also returned another tagged VLAN 150 which comes to
0x31<000><VLAN-ID in Hex>
Vlan 150 in Hex which is 96 padded with a leading zero 096 which comes to 0x31000096
Converting that value back to Integer gives 822083734.
In ClearPass we are configuring the HPE-Egress-VLAN-ID attribute with ID (64) in the Hewlett-Packard-Enterprise Radius Dictionary with a Vendor ID 11.
Along with tagged VLANs we are also returning the untagged VLAN of 20 using the Radius:IETF Tunnel-Private-Group-Id attribute which needs some other attributes along with it as shown below
Radius:IETF Tunnel-Type = VLAN (13)
Radius:IETF Tunnel-Private-Group-Id = <VLAN-ID>
Radius:IETF Tunnel-Medium-Type = IEEE-802 (6)
Please find the configuration snap-shot of the ClearPass enforcement below
Once this enforcement profile is configured it should return 30 and 150 as tagged VLANs and 20 as the untagged as explained above.
You can configure this is an enforcement profile for any port access authentication 802.1x or MAC-auth.
Also note that the same configuration can be replicated on other Radius servers to return tagged and untagged VLANs to the HPE switch as long as we are configuring the right attributes and values.
We can verify from the access tracker of CPPM that we are indeed returning the attributes by observing the Output tab of ClearPass as shown below
Once you return the attributes in the switch you should be able to see that the switch accepts it and assigns the appropriate VLANs by executing the command shown below
Aruba-2930F-24G-PoEP-4SFP# show port-access clients detailed
Port Access Client Status Detail
Client Base Details :
Port : 21 Authentication Type : mac-based
Client Status : authenticated Session Time : 523 seconds
Client Name : f05c19ca3cf6 Session Timeout : 0 seconds
MAC Address : f05c19-ca3cf6
IP : 10.1.20.5
Access Policy Details :
COS Map : Not Defined In Limit Kbps : Not Set
Untagged VLAN : 20 Out Limit Kbps : Not Set
Tagged VLANs : 30, 150
Port Mode : 1000FDx
RADIUS ACL List : No Radius ACL List
Captive Portal Details :