Wireless Access

In our environment we have ClearPass 6.9.5 and the Mobility Masters/Controllers are running 8.7.1.4.
For several years we have had an 802.1X wireless service on ClearPass that is using machine authentication. It's been working great.
We would like to change the configuration so the connection also does user authentication to place the user in a vlan depending on group membership in Active Directory. I worked with someone at TAC and he helped me set up the ClearPass side. Now I am having difficulty getting the controller side configured.

Here is my understanding of how it works and please correct me if I am wrong.
A laptop will machine authenticate to the WLAN and be placed into what I would call a default vlan. When the user logs in, the device would then be switched to user authentication and depending on the group membership, be placed into the vlan appropriate to that user. I understand that the role names on both ClearPass and the controllers need to match for this to work. The test laptop I am using will only machine authenticate. I am fortunate that we we have a stage environment here that I can learn on so this does not impact production.

What I can't figure out is the settings on the controller side and calling TAC is frustrating because the TAC engineers roles handle one side or the other but not both. Is there a document that explains to the configuration on both ClearPass and the controllers and uses Active Directory for authentication and authorization? 

Thank you!!!!

------------------------------
Jim Van Scoyk
------------------------------

1. You are currently doing machine authentication.

2.  You want to do user authentication where the machine is placed into a different VLAN based on group membership.

The issue, is that #1 typically occurs before #2 on bootup and when the previous user logs out.  If you do #2, you would switch the VLAN that the machine is on and possibly/probably break the login process.

Fortunately, there is nothing to be done on the Aruba side.  All ClearPass would need to do is send an enforcement profile with the Aruba-User-VLAN attribute set to whatever VLAN you want, whenever it sees a user in that Windows Group.



​When an Aruba Mobility device sees that attribute, it will override whatever VLAN and will set the device to that VLAN.

Again, please heed the warning about having one VLAN for machine authentication and then switching the VLAN upon user authentication.​​

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------

Original Message:
Sent: Sep 30, 2021 02:40 PM
From: Jim Van Scoyk
Subject: 802.1X User Roles

In our environment we have ClearPass 6.9.5 and the Mobility Masters/Controllers are running 8.7.1.4.
For several years we have had an 802.1X wireless service on ClearPass that is using machine authentication. It's been working great.
We would like to change the configuration so the connection also does user authentication to place the user in a vlan depending on group membership in Active Directory. I worked with someone at TAC and he helped me set up the ClearPass side. Now I am having difficulty getting the controller side configured.

Here is my understanding of how it works and please correct me if I am wrong.
A laptop will machine authenticate to the WLAN and be placed into what I would call a default vlan. When the user logs in, the device would then be switched to user authentication and depending on the group membership, be placed into the vlan appropriate to that user. I understand that the role names on both ClearPass and the controllers need to match for this to work. The test laptop I am using will only machine authenticate. I am fortunate that we we have a stage environment here that I can learn on so this does not impact production.

What I can't figure out is the settings on the controller side and calling TAC is frustrating because the TAC engineers roles handle one side or the other but not both. Is there a document that explains to the configuration on both ClearPass and the controllers and uses Active Directory for authentication and authorization? 

Thank you!!!!

------------------------------
Jim Van Scoyk
------------------------------

I have been able to get this working on Windows 10 machines using these documents for reference:

Airheads Community

Airheads Community		remove preview
Airheads Community Hidden page that shows all messages in a thread View this on Airheads Community >

And this:
https://community.arubanetworks.com/HigherLogic/System/DownloadDocumentFile.ashx?DocumentFileKey=f583ba6d-5c63-4bc4-ae65-20d2f468972b




We use JAMF to manage Apple devices. The endpoint repository is talking to JAMF cloud and is being populated with devices that JAMF manages. We use JAMF in another wireless 802.1X service to validate the Apple Machines. So far I have been able to get this working on this new service. Does anyone have any experience with this type of configuration?

------------------------------
Jim Van Scoyk
------------------------------

Original Message:
Sent: Sep 30, 2021 07:20 PM
From: Colin Joseph
Subject: 802.1X User Roles

1. You are currently doing machine authentication.

2.  You want to do user authentication where the machine is placed into a different VLAN based on group membership.

The issue, is that #1 typically occurs before #2 on bootup and when the previous user logs out.  If you do #2, you would switch the VLAN that the machine is on and possibly/probably break the login process.

Fortunately, there is nothing to be done on the Aruba side.  All ClearPass would need to do is send an enforcement profile with the Aruba-User-VLAN attribute set to whatever VLAN you want, whenever it sees a user in that Windows Group.

​When an Aruba Mobility device sees that attribute, it will override whatever VLAN and will set the device to that VLAN.

Again, please heed the warning about having one VLAN for machine authentication and then switching the VLAN upon user authentication.​​

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Sep 30, 2021 02:40 PM
From: Jim Van Scoyk
Subject: 802.1X User Roles

In our environment we have ClearPass 6.9.5 and the Mobility Masters/Controllers are running 8.7.1.4.
For several years we have had an 802.1X wireless service on ClearPass that is using machine authentication. It's been working great.
We would like to change the configuration so the connection also does user authentication to place the user in a vlan depending on group membership in Active Directory. I worked with someone at TAC and he helped me set up the ClearPass side. Now I am having difficulty getting the controller side configured.

Here is my understanding of how it works and please correct me if I am wrong.
A laptop will machine authenticate to the WLAN and be placed into what I would call a default vlan. When the user logs in, the device would then be switched to user authentication and depending on the group membership, be placed into the vlan appropriate to that user. I understand that the role names on both ClearPass and the controllers need to match for this to work. The test laptop I am using will only machine authenticate. I am fortunate that we we have a stage environment here that I can learn on so this does not impact production.

What I can't figure out is the settings on the controller side and calling TAC is frustrating because the TAC engineers roles handle one side or the other but not both. Is there a document that explains to the configuration on both ClearPass and the controllers and uses Active Directory for authentication and authorization? 

Thank you!!!!

------------------------------
Jim Van Scoyk
------------------------------