Wireless Access

  • 1.  Radius COA

    Posted Oct 16, 2013 05:34 PM
    Does anyone have documents on different COA requests that are supported by aruba controller. We have CPPM 6.2 and have the default ones.


  • 2.  RE: Radius COA

    Posted Oct 16, 2013 05:45 PM
    @sdr53 wrote:
    Does anyone have documents on different COA requests that are supported by aruba controller. We have CPPM 6.2 and have the default ones.

    Aruba Supports RFC 3576 COA.  On the Aruba Controller, you just set the RFC 3576 profile and attach it to a AAA profile.  On CPPM you enable the checkmark next to "Enable RADIUS CoA" on the controller's network device definition and it will work.

     

    What are you trying to do?



  • 3.  RE: Radius COA

    Posted Oct 16, 2013 09:34 PM

    Specifically I am trying to move clients to a different VLAN. I can terminate them but its not working the way I want. The Clients terminate and I can see the Radius request but the client keeps its Original IP address in the new VLAN.  since the client does not have a valid ip address the client is dead in the water. I know I can use roles and I am doing some roles but i still have a need to move clients to/from a DMZ vlan.

     

    Thanks,

     

     



  • 4.  RE: Radius COA

    Posted Oct 16, 2013 09:36 PM
    @sdr53 wrote:

    Specifically I am trying to move clients to a different VLAN. I can terminate them but its not working the way I want. The Clients terminate and I can see the Radius request but the client keeps its Original IP address in the new VLAN.  since the client does not have a valid ip address the client is dead in the water. I know I can use roles and I am doing some roles but i still have a need to move clients to/from a DMZ vlan.

     

    Thanks,

     

     

    What is the exact circumstance?  What encryption are you using?  Have these clients ALREADY authenticated and you are trying to move them?  If you are using 802.1x, clients get an ip address AFTER they authenticate, so you have the opportunity to put them into the correct VLAN, instead of moving them.

     

    Again, what is your use case?

     



  • 5.  RE: Radius COA

    Posted Oct 16, 2013 09:58 PM

    Sorry,   Open Security with Mac-Filtering and Web-Auth as a failback.   once webauth correcrly mac-cache the client and place them in a different vlan. basically we have guests who get internet and then we have contractors that we place in a different vlan so they can access the correct network resources. Guests and Contracotrs use a different DNS servers. 



  • 6.  RE: Radius COA

    Posted Oct 16, 2013 10:13 PM
    @sdr53 wrote:

    Sorry,   Open Security with Mac-Filtering and Web-Auth as a failback.   once webauth correcrly mac-cache the client and place them in a different vlan. basically we have guests who get internet and then we have contractors that we place in a different vlan so they can access the correct network resources. Guests and Contracotrs use a different DNS servers. 

    Okay.  Let us walk through this:

     

    - Guests need regular guest access

    - Contractors need to be able to be on a different subnet that allows them differentiated access.

     

    Questions:

     

    - Do the contractors have usernames or passwords that are pre-assigned?  If so, who assigns them?

    - Are they kept in a different database than guests?

    - Is the fact that the Contractors are using an Open SSID that can be sniffed problematic from a security perspective?

    - Are you already doing 802.1x on your network?

     

     

    The reason why I am asking these questions, is because COA will not force a client on an Open SSID to reacquire DHCP to get on the new VLAN.

     



  • 7.  RE: Radius COA

    Posted Oct 16, 2013 10:22 PM

    Okay.  Let us walk through this:

     

    - Guests need regular guest access, yes

    - Contractors need to be able to be on a different subnet that allows them differentiated access. yes

     

    Questions:

     

    - Do the contractors have usernames or passwords that are pre-assigned?  If so, who assigns them?

    We Place them in AD and Place them in a Group that allows them to login using the Guest network Via Clearpass Guest and assigns them to a role that places them into a contractors vlan.

     

    - Are they kept in a different database than guests?

    We add frequent guests to our AD but also use Clearpass Guest to Register and authenticate.

     

    - Is the fact that the Contractors are using an Open SSID that can be sniffed problematic from a security perspective?

    no not at this time its better that we can make them login and agree to terms and conditions

    - Are you already doing 802.1x on your network? 

    We we have another 802.1x that is working the way we want it too. But we can force web authentication every day. We are using insight to determine the last time they logged in.

     



  • 8.  RE: Radius COA
    Best Answer

    Posted Oct 16, 2013 10:39 PM

    Okay.

     

    There is one way that you can get captive portal clients to switch VLANs:

     

     You would need to have a initial guest VLAN that gives users DHCP leases that last between 15 to 30 seconds.  After the Contractor or Guest authenticates via Captive Portal, the device's post-authentication Aruba role will have a VLAN hardcoded into it.  What should happen is that after a user authenticates successfully, after a few seconds, their client will request a new ip address at half of the lease time as per the RFC, and that will allow them to get an ip address on the new VLAN they were switched to.

     

    So you will need an initial "holding" VLAN that has very short leases, one VLAN for your Guests and of course the VLAN for your contractors.  You will also need to configure the roles, with VLANs hardcoded on the Aruba Controller.  You also need CPPM to send back an enforcement profile that switches Guests to the guest role and Contractors to the Contractor role upon successful login.

     

    Does that make sense?

     



  • 9.  RE: Radius COA

    Posted Oct 17, 2013 12:07 AM
    Yes I does thanks