Security

 View Only
  • 1.  30 sites: One SSID, one vlan global, now one site one SSID two vlans

    Posted May 15, 2023 08:48 AM

    Hello,

    we have a customer with around 30 global sites with many SSID's with ClearPass running as a radius server.
    Wireless clusters are all Aruba Instant.

    Now on one SSID, there is one site running out of IP-addresses in that vlan. DHCP server is a Windows server.
    We added a new vlan and subnet, tagged on the ports.
    Now I'm able to get users on the old or the new vlan, not both.

    How do I get this implemented in ClearPass?
    I added a condition to look for the AP name. This works, now all clients receive only an IP-address in the new vlan.

    Could this be done with Aruba Radius attributes?
    I cannot find the correct solution.



  • 2.  RE: 30 sites: One SSID, one vlan global, now one site one SSID two vlans

    Posted May 15, 2023 09:36 AM

    What attributes are you responding with from ClearPass?  Are you responding with a role or VLAN ID/name?  Both?  

    This network REALLY sounds like it could use a re-design.  Aruba Central for management, single SSID across sites, standardized VLAN IDs, and standardized ClearPass policies that rely on roles.




  • 3.  RE: 30 sites: One SSID, one vlan global, now one site one SSID two vlans

    Posted May 15, 2023 09:48 AM

    Now if the user is a domain user, user can connect. I'm responding with a role and the role pushes the user / device to a vlan.

    For this particular site, looking for the AP name.

    The whole customer is standardized.
    same configuration on all sites (vlan id, vlan names, standard clearpass roles etc, complete IP-plan)

    I have to extend the clearpass configuration to get this change done.

    What is your suggestion Ahollifiled?




  • 4.  RE: 30 sites: One SSID, one vlan global, now one site one SSID two vlans

    Posted May 15, 2023 10:21 AM
    So how are they authenticating when it’s not working? What do your ClearPass logs show? Does the role specify a VLAN? What VLAN is not working? What role is sent when the user is a “domain user”? Need some more information here.




  • 5.  RE: 30 sites: One SSID, one vlan global, now one site one SSID two vlans

    Posted May 15, 2023 10:34 AM

    Have ClearPass send back a VLAN name rather than VLAN ID. On the Instant VCs, define what VLAN IDs map to the VLAN Name.
    VLAN "User VLAN" = VLAN 30,40

    That way the policy in ClearPass is standardized, but the "variables" are at the site-level.




    ------------------------------
    ACNSP | ACCP | ACMP | ACEP
    ------------------------------



  • 6.  RE: 30 sites: One SSID, one vlan global, now one site one SSID two vlans

    Posted May 15, 2023 10:38 AM

    Thanks, I'll try