Hello All,Having an issue with downloadable user roles and the VLAN not being applied.In Clearpass I created a downloadable user role for a mobility controller, created the ACLs, and am trying to assign a specific VLAN-Pool. It seems everything takes, except for the VLAN.After the user authenticates, I can tell the user-role was successfully downloaded by doing a show user mac <mac>, and a show rights downloaded-user-roles, they both show up there with the correct information.Even if I do a show rights <downloaded user-role name> it shows the correct VLAN there. The issue is that if I do a shower user <mac> I see this
VLAN Derivation: Default VLANThen the user gets the VLAN assigned to the VAP, which is not what I wantI've tried changing the VLAN information in the DUR to a single VLAN-ID, and that doesn't work either. Is there some trick to getting the VLAN part to work? (CPPM 6.8.4 and AOS 22.214.171.124)Thanks,
You can always send back a VLAN assignment as a separate enforcement profile. I believe it is in the IETF RADIUS dictionary.
As far as I know for controllers the VLAN assignment through the role is deprecated as it doesn't work under all circumstances. Can you try (suggested by the previous answerd) return the Role and VLAN in separate attributes? For VLAN you can use the Aruba-User-VLAN attribute or the standard VLAN enforcement with IETF attributes. I personally prefer the Aruba-User-VLAN attribute as it is a single line and better describes what it does.
To avoid confusion, with ArubaOS Switches in role based the VLAN has to be in the role definition as the switch will reject a role and VLAN sent in separate attributes.
ArubaOS (controller/IAP): Send Aruba-User-Role (or the downloadable equivalent) and Aruba-User-VLAN in separate attributes.
ArubaOS Switch: Send just a user-role (or DUR) which includes the VLAN.
Thanks Herman,I am able to return the vlan via the user-vlan attribute and that works as expected.I was attempting to use the standard mode of configuration, that way if I needed to update an ACL, it would update all the profiles that referenced that ACL. So I'd have to create additional enforcement profiles to send that attribute, which works, but isn't as clean as I would have liked.Again thank you both for your insight, I can stop banging my head against the wall now
Keep in mind that "Aruba-User-Vlan" only takes integer values for the VLAN number. If you want to use a named VLAN, use "Aruba-Named-User-Vlan". The IETF VLAN enforcement will accept either number or name.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2020 Hewlett Packard Enterprise Development LPAll Rights Reserved.