Currently we have about 60 AP's located in 9 locations and two 3600 controllers (one master, one local) located in our main location. We use Clearpass for guest portal and auhtentication. This is working great. I'ts easy to let a client from some location go into a specific vlan configured in our main office.
Is it also possible to tunnel wired clients to the vlan's configured on the controller(s)? We do have 802.1x enabled switches on the locations. And our other locations are connected through a MPLS network with our main location.
Is this somehow possible? I think that the benefit is that all vlans are centrally managed and that we probably can apply authentication for our wired clients on all locations just as we do for our wireless clients, is this correct? Or are there any other (better) solutions? Or is it just a bad idea?
Any help is appriciated.
This is a good idea. Just change one of your wired interfaces to untrusted and change the wired access "default" profile to your prefered CP prof. Then you create your "own" unauthenticated vlan on all your sites with the def GW \ route to your Layer 3 aruba controller. or unauthenticated.. or whatever. Then you get CP and guest self registration on your MPLS extented network. Configure your switches against the Clearpass.
Let me know if you want command specific.
Thank you for your reply.
So a wired interface at the controller needs to be used for this? At the moment all (4) wired interfaces are used in 1 port channel and this is setup as trunk with all vlans, so one needs to removed from the port channel and use as seperate port? And then in the setting for the port something needs to be changed to untrusted? I need to disable the "Make Port Trusted" option in the port setting?
And then this port needs to be in a seperate vlan, which will be the network when someone is not authenticated? This isn't possible to do just with the existing port channel through a new vlan?
Is there some best practice / documentation somewhere on how to configure this? I can try a test setup with a HP Procurve switch, but i don't want to have impact for the current environment.
ok. so theres different ways to accomplish this. Wrote this last night and obviously had too much red wine :)How many users are supposed to be on each site?If theres a limited amount of users i would use a RAP\ AP on each site with a interface in the vlan configured for the "unauthenticated" vlan of your network on that site. Then the RAP\AP is the Default GW with a AAA profile on the wired profile running a tunneled node.The VLAN on that site would then get a CP on the unuthenticated part of your network. When authenticated you could push the data where you want it to go.See the attachment. Im on my linux box right now so sorry for the **bleep** drawing.
Dont know if the site is small enough to do it this way. But it would work. And it would be cheap :)
Let me know if you need help with the config. Il put together the "configuration" for you.
Thank you for the reply.
The locations have different user numbers, but the wired computer connections that are candidate for this are between 10 and 100, depending on the size of the location.
Okay, so you tunnel through an AP. I'm not sure if that's a good one for us, we currently only have AP-104/AP-105 and they have one LAN port, the other thing is, is that they are located throughout the locations, so probarly not realy usable for this task.
So if i understand you, we need an AP to setup the tunnel , maybe another model specialy for this task? Or we can setup vpn from another device between the locations through the MPLS networks and have vlans over vpn, this has more impact offcourse.
ok. If there is 10 users you could use a rap with multiple interfaces. Agree, theres too many users to use a RAP \ AP. Setup vlans over the MPLS instead.
The tunneling of that VLAN is then your best bet. Setup a new vlan in the aruba controller and stup IPhelper for that vlan. Remove a interface from your port-channel and set that interface to to access \ trunk in your new "wired-guest" vlan.
Change your default wired access AAA profile under Configuration > Advanced services > Wired Access to a Captive portal AAA profile. Then set your pdort untrusted. i hope you dont have any other interfaces untrusted? :)
The Aruba controller should be default GW. All your traffic will go over your MPLS :( but it would work.
Hope the information helps and let me know how it works out. :)
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.