Wireless Access

last person joined: 2 hours ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

AOS 8.5 and CPPM Downloadable user Roles -- VLAN Not applying

Jump to Best Answer
  • 1.  AOS 8.5 and CPPM Downloadable user Roles -- VLAN Not applying

    Posted Mar 26, 2020 04:18 PM

    Hello All,

    Having an issue with downloadable user roles and the VLAN not being applied.

    In Clearpass I created a downloadable user role for a mobility controller, created the ACLs, and am trying to assign a specific VLAN-Pool. It seems everything takes, except for the VLAN.

    After the user authenticates, I can tell the user-role was successfully downloaded by doing a show user mac <mac>, and a show rights downloaded-user-roles, they both show up there with the correct information.

    Even if I do a show rights <downloaded user-role name> it shows the correct VLAN there. The issue is that if I do a shower user <mac> I see this

    VLAN Derivation: Default VLAN


    Then the user gets the VLAN assigned to the VAP, which is not what I want

    I've tried changing the VLAN information in the DUR to a single VLAN-ID, and that doesn't work either. Is there some trick to getting the VLAN part to work? (CPPM 6.8.4 and AOS 8.5.0.4)

    Thanks,



  • 2.  RE: AOS 8.5 and CPPM Downloadable user Roles -- VLAN Not applying

    Posted Mar 26, 2020 08:08 PM

    You can always send back a VLAN assignment as a separate enforcement profile. I believe it is in the IETF RADIUS dictionary.



  • 3.  RE: AOS 8.5 and CPPM Downloadable user Roles -- VLAN Not applying
    Best Answer

    Posted Mar 27, 2020 04:51 AM

    As far as I know for controllers the VLAN assignment through the role is deprecated as it doesn't work under all circumstances. Can you try (suggested by the previous answerd) return the Role and VLAN in separate attributes? For VLAN you can use the Aruba-User-VLAN attribute or the standard VLAN enforcement with IETF attributes. I personally prefer the Aruba-User-VLAN attribute as it is a single line and better describes what it does.

     

    To avoid confusion, with ArubaOS Switches in role based the VLAN has to be in the role definition as the switch will reject a role and VLAN sent in separate attributes.

     

    ArubaOS (controller/IAP): Send Aruba-User-Role (or the downloadable equivalent) and Aruba-User-VLAN in separate attributes.

    ArubaOS Switch: Send just a user-role (or DUR) which includes the VLAN.



  • 4.  RE: AOS 8.5 and CPPM Downloadable user Roles -- VLAN Not applying

    Posted Mar 27, 2020 08:27 AM

    Thanks Herman,

    I am able to return the vlan via the user-vlan attribute and that works as expected.

    I was attempting to use the standard mode of configuration, that way if I needed to update an ACL, it would update all the profiles that referenced that ACL. So I'd have to create additional enforcement profiles to send that attribute, which works, but isn't as clean as I would have liked.

    Again thank you both for your insight, I can stop banging my head against the wall now




  • 5.  RE: AOS 8.5 and CPPM Downloadable user Roles -- VLAN Not applying

    Posted Mar 27, 2020 12:11 PM

    Keep in mind that "Aruba-User-Vlan" only takes integer values for the VLAN number. If you want to use a named VLAN, use "Aruba-Named-User-Vlan". The IETF VLAN enforcement will accept either number or name.