So how are they authenticating when it’s not working? What do your ClearPass logs show? Does the role specify a VLAN? What VLAN is not working? What role is sent when the user is a “domain user”? Need some more information here.
Original Message:
Sent: 5/15/2023 9:48:00 AM
From: erik.boss
Subject: RE: 30 sites: One SSID, one vlan global, now one site one SSID two vlans
Now if the user is a domain user, user can connect. I'm responding with a role and the role pushes the user / device to a vlan.
For this particular site, looking for the AP name.
The whole customer is standardized.
same configuration on all sites (vlan id, vlan names, standard clearpass roles etc, complete IP-plan)
I have to extend the clearpass configuration to get this change done.
What is your suggestion Ahollifiled?
Original Message:
Sent: May 15, 2023 09:36 AM
From: ahollifield
Subject: 30 sites: One SSID, one vlan global, now one site one SSID two vlans
What attributes are you responding with from ClearPass? Are you responding with a role or VLAN ID/name? Both?
This network REALLY sounds like it could use a re-design. Aruba Central for management, single SSID across sites, standardized VLAN IDs, and standardized ClearPass policies that rely on roles.
Original Message:
Sent: May 15, 2023 08:48 AM
From: erik.boss
Subject: 30 sites: One SSID, one vlan global, now one site one SSID two vlans
Hello,
we have a customer with around 30 global sites with many SSID's with ClearPass running as a radius server.
Wireless clusters are all Aruba Instant.
Now on one SSID, there is one site running out of IP-addresses in that vlan. DHCP server is a Windows server.
We added a new vlan and subnet, tagged on the ports.
Now I'm able to get users on the old or the new vlan, not both.
How do I get this implemented in ClearPass?
I added a condition to look for the AP name. This works, now all clients receive only an IP-address in the new vlan.
Could this be done with Aruba Radius attributes?
I cannot find the correct solution.