Hello,we have a customer with around 30 global sites with many SSID's with ClearPass running as a radius server.Wireless clusters are all Aruba Instant.Now on one SSID, there is one site running out of IP-addresses in that vlan. DHCP server is a Windows server.We added a new vlan and subnet, tagged on the ports.Now I'm able to get users on the old or the new vlan, not both.How do I get this implemented in ClearPass?I added a condition to look for the AP name. This works, now all clients receive only an IP-address in the new vlan.Could this be done with Aruba Radius attributes?I cannot find the correct solution.
What attributes are you responding with from ClearPass? Are you responding with a role or VLAN ID/name? Both? This network REALLY sounds like it could use a re-design. Aruba Central for management, single SSID across sites, standardized VLAN IDs, and standardized ClearPass policies that rely on roles.
Now if the user is a domain user, user can connect. I'm responding with a role and the role pushes the user / device to a vlan.For this particular site, looking for the AP name.The whole customer is standardized.same configuration on all sites (vlan id, vlan names, standard clearpass roles etc, complete IP-plan)I have to extend the clearpass configuration to get this change done.What is your suggestion Ahollifiled?
Have ClearPass send back a VLAN name rather than VLAN ID. On the Instant VCs, define what VLAN IDs map to the VLAN Name.VLAN "User VLAN" = VLAN 30,40That way the policy in ClearPass is standardized, but the "variables" are at the site-level.
Thanks, I'll try
© Copyright 2023 Hewlett Packard Enterprise Development LPAll Rights Reserved.