I am new in CPPM, so please help me on this.
i have a Aruba controller, & a CPPM,
Now i want to create users in cppm's internal DB, and assign them to different vlan but using
Means one SSID is there [ CORP ], and if sales person connect to it, the he/she will get a vlan. And if technical person connect to it then he/ she will get different vlan.
how can i do this ?
kindly tell me what things will be required..
First create the roles you need , Sales , IT , etc..
Then add the new users to the local db and assign the roles to each user
Then create an enforcement profile with the VLANs you are planning to send to the controller based on the TIPS ROLE condition wheter is Sales or IT
And finally in your policy use the TIPS ROLE condition to send the VLAN assignment
Thank you victor....
Now i understand, and also its working.
thank you again, you are a great man.
Why would you put 2500 users into 1000 different VLANS?
I know this threat is old, but I have the same requirements to do and your sample is correct. I jus would like to know what services can I use in this case and also what changes needs to be done on the controller side.
Hi, not simple but very effective. In clearpass side basically two services (mac authenticaton and 802.1x windows) and CoA action. The tip is the action sequence:
1- user connect to ssid, is marked as unknown so a captive portal is displayed (I used my own captive from a ftp server, not clearpass one).
2- user connects with user y password under the captive (local clearpass users on this case).
3- Controller assign vlan defined to this web authentication SSID
4- CoA action to force user authenticate again
5- automatically user connects again and is marked as KNOWn. Vlan configured for the user (as atribute in clearpass) can be assigned secure in layer 2.
*Users must exist as local on clearpass and have Vlan as attribute, but I´m sure t can be done from AD, LDAP.
¿What about Controller side? (cisco on this case)
- Global confi: add the clearpass as a radius (authentication and accounting)
- It must be maped to a Interface Group instead interface (group of vlans)
-under security tab:
layer2, enable MAC Filtering.
layer 3 , enable On MAC Filter failure, configure a preauthentication ACL,Override Global Config, Web Auth type redirect to external server (add https://whateverURL),
AAA Servers: add clearpass IP for authent and accounting
ACL parameters it depends, restrict all you can but permit DNS and UDP to the clearpass (and the captive portal IP).
Before going crazy...CoA delay default values don´t use to achieve goals, probably you will have to test a lot to find the correct.
@thenatural33wrote:Hi All, I know this threat is old, but I have the same requirements to do and your sample is correct. I jus would like to know what services can I use in this case and also what changes needs to be done on the controller side.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2020 Hewlett Packard Enterprise Development LPAll Rights Reserved.