Wireless Access

last person joined: an hour ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

Version 6 question

Jump to Best Answer
  • 1.  Version 6 question

    Posted Feb 14, 2020 04:14 AM

    Hi all,

     

    My company still uses version 6 on its controllers. We’re looking to migrate of course to version 8 - but this will need some planning. 

    in the mean time; I have tunnelled mode on my switches (3810) tunnelling traffic to the controller. 

    I want to make multiple user roles on the controller that receives this tunnelled traffic. So I have one already that handles traffic a certain way, but I want to add hundreds more user roles where I can identify traffic by it’s source MAC address; then Clearpass tells that traffic on the controller to be in a different VLAN. Plan being to physically connect a new link from my controllers to a firewall and force the traffic that way. 

    I'm thinking keep the layer 3 information on the firewall and tunnel everything to the controller and present it as layer 2 ... so we can control that traffic tightly for onward routing. 

    There will be lots of new user roles to handle new devices that we can only identify by MAC address. Need to lock down this traffic with our controllers and firewall. 

    Hopefully that makes sense? Not sure if the above is only possible with version 8?

     

    thanks 



  • 2.  RE: Version 6 question

    Posted Feb 14, 2020 09:15 AM

    Yes, you will still have that functionality in version 8. Whether you perform MAC-Auth against RADIUS, or you set up some Server-Derived rules on the controller, you should be able to assign roles based on MAC.



  • 3.  RE: Version 6 question

    Posted Feb 14, 2020 09:52 AM

    Great - thanks

     

    is it something I can expand on in current version 6? I only have one role for current tunnelled node users at present ... I really want to make a new role that puts them in a new VLAN on the controller ... I can then add a physical cable to a firewall and make the cable a member of this new VLAN. So essentially I want hundreds of new roles on this new physical connection, to then let the firewall handle the traffic. Literally get the controller to talk on a new physical link with lots of user roles (defined by MAC address) within this new physical connection?

     

    thanks 



  • 4.  RE: Version 6 question

    Posted Feb 14, 2020 03:09 PM

    Yes, you can tie a VLAN or a Pool of VLANS to a user role. Is there a reason why each device will have to have its own role? Is there something that's going to be specific to each device?



  • 5.  RE: Version 6 question

    Posted Feb 14, 2020 04:16 PM

    Yes I wanted to get a role and identify those users by MAC address. It’s for different departments and some IOT type devices. I need each department to get its own subnet basically. So each one would have its own /24 subnet. I need to have them on individual subnets so it’s easy to handle all the roles and rules from the firewall as to where they can go. 

    We have a large campus with hundreds of switches to trying to centralise the admin for this task. 

    tunnelled mode with multiple user roles and new VLANs to a separate firewall seem like the best way to isolate all this traffic?



  • 6.  RE: Version 6 question
    Best Answer

    Posted Feb 14, 2020 10:47 PM

    I would have to agree. Sounds like a good plan.