Wireless Access

last person joined: 25 seconds ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

assigned vlan within role vs vlan assignment via clearpass policy

This thread has been viewed 22 times
  • 1.  assigned vlan within role vs vlan assignment via clearpass policy

    Posted Sep 09, 2021 11:02 AM
    Hi all,,

    AOS 6.5 and Clearpass 6.8

    Have two ways to do something and looking for the most appropriate. I create an authenticated role on the controller and can assign a vlan to it. Or I can not assign a vlan to the role and through policy have Clearpass pass the role and also assign a vlan.

    Six of one? Any advantages of one options over the other?

    Thanks,
    Mike

    ------------------------------
    Michael Dickson
    Network Engineer
    University of Massachusetts Amherst
    ------------------------------


  • 2.  RE: assigned vlan within role vs vlan assignment via clearpass policy

    Posted Sep 09, 2021 11:14 AM
    ClearPass sends back the role and the VLAN via Aruba Radius Attributes.  It is by far the most flexible solution.

    If you hardcode a VLAN to a role, that limits where you can (re)use that role, due to the hardcoded VLAN.

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------



  • 3.  RE: assigned vlan within role vs vlan assignment via clearpass policy

    Posted Sep 09, 2021 11:15 AM
    If the role is universal, it is probably best to assign the vlan within the role.  In some instances, we might re-use a role, but assign different vlans based on other criteria, such as geographical/physical location.  

    --





  • 4.  RE: assigned vlan within role vs vlan assignment via clearpass policy

    Posted Sep 10, 2021 07:27 AM
    We decided to assign Vlan to the role but use a named vlan pool. That gives us the flexibility of using different Vlan Ids per controller if necessary.

    I also believe it is not recommended to use the authenticated role. Create a role more descriptive & granular if possible.

    ------------------------------
    Bruce Osborne ACCP ACMP
    Liberty University

    The views expressed here are my personal views and not those of my employer
    ------------------------------



  • 5.  RE: assigned vlan within role vs vlan assignment via clearpass policy

    Posted Sep 09, 2021 01:07 PM
    Thanks for the replies. I should have mentioned that this is a very unique role and a dedicated vlan. No re-use of either (don't we always say that?!). What I'm hearing is in this case it may be personal choice. Of course, if the role is to be reused elsewhere it's best to let CPPM policy handle vlan assignment.

    I'm leaving the vlan field blank in the role and letting CPPM assign the role + vlan via policy. This is how I originally had it but had wondered about it

    Bonus question: Which takes precedent if the role were configured for a vlan and CPPM policy assigns a different vlan? Mostly curious not wishing to try this!!

    Thanks again!

    Mike

    ------------------------------
    Michael Dickson
    Network Engineer
    University of Massachusetts Amherst
    ------------------------------



  • 6.  RE: assigned vlan within role vs vlan assignment via clearpass policy

    Posted Sep 09, 2021 01:12 PM
    Configure it and let us know.  Not having a VLAN hardcoded to a role creates fewer issues down the road.

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------



  • 7.  RE: assigned vlan within role vs vlan assignment via clearpass policy

    Posted Sep 09, 2021 01:32 PM
    On the Bonus Question, I can honestly say we have never tried it and wouldn't venture to guess.  If you wind up finding out, let us know.

    --





  • 8.  RE: assigned vlan within role vs vlan assignment via clearpass policy

    Posted Sep 10, 2021 10:10 AM
    Thanks. I'll try to test that if I get a chance. We dropped this role into production so I'll have to start new. We have many granular and specific authenticated roles!

    ------------------------------
    Michael Dickson
    Network Engineer
    University of Massachusetts Amherst
    ------------------------------



  • 9.  RE: assigned vlan within role vs vlan assignment via clearpass policy

    Posted Sep 10, 2021 10:17 AM
    One other trick I found useful. If I create a policy (ACL) that is for one particular role I name it "role-" and then the role name. That makes policy management much easier.

    For example, we have a couple of guest roles 
    guest-limited is bandwidth restricted.
    guest-full has no bandwidth restriction.

    Both use the policy role-guest-limited. ( Most of our guests are bandwidth limited.)

    ------------------------------
    Bruce Osborne ACCP ACMP
    Liberty University

    The views expressed here are my personal views and not those of my employer
    ------------------------------