Security

 View Only
  • 1.  Aruba IAP - dot1x tagged / untagged vlan

    Posted Jul 05, 2024 10:58 AM

    Hello together,

    I need an advice how to approach this the best practice way.

    I have the following sceneraio.

    We ar currently implementing NAC for our network.

    I've configured aaa dot1x on out CX switch and recieve policies for our clients. (which vlan is assigned and so on)

    Now I want to do the same with our WiFi.

    I want the AccessPoint to authenticate on the switch like the clients and the clients authenticate over the AccessPoint.

    I wanted to use auth-mode device-mode for this case. So far so good.

    But we use different VLANs for our users and I need to assign tagged vlans to an authenticated AccessPoint.

    Currently I can't find the correct RADIUS Attributes or VSAs for this. I'm only able to assign one untagged vlan for the AccessPoint, but the Clients get a different VLAN in the SSID.

    Do you know how to solve this. We are currently using Microsoft NPS as RADIUS solution (maybe ClearPass in the future).

    If someone has an advice for me, it would be great. :)

    Thanks alot in advance.

    Best Regards

    Chris



  • 2.  RE: Aruba IAP - dot1x tagged / untagged vlan

    Posted Jul 05, 2024 11:32 AM

    Hi Chris

    I have never configured this on CX without ClearPass and Downloadable User Roles. But I found this:

    https://www.arubanetworks.com/techdocs/AOS-S/16.10/ASG/KB/content/asg%20kb/tag-untag-vla-att.htm

    Maybe it can guide you.

    The link below is for AOS switches, if someone needs the informaiton on this switch family:

    https://community.arubanetworks.com/community-home/librarydocuments/viewdocument?DocumentKey=98535679-1bba-4952-9e00-cffd2638487d&CommunityKey=2fd943a6-8898-4dbe-915f-4f09e4d3c317&tab=librarydocuments



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 3.  RE: Aruba IAP - dot1x tagged / untagged vlan

    Posted Jul 08, 2024 03:17 AM

    Hi Jonas,

    thanks alot for your response. I will test it and send a feedback in this thread. :)

    Best Regards

    Chris




  • 4.  RE: Aruba IAP - dot1x tagged / untagged vlan

    Posted Jul 08, 2024 05:17 AM

    Couldn't get it really to work. I used local user roles instead now. This works fine for me.

    The NPS is now just sending the VSA and the switch assigns the role to the port.

    Thanks again for your time.

    VSA config in NPS:

    Vendor Code: 14823

    Attribute Number: 1

    Format: String

    Value: rolename

    Switch config:

    port-access role rolename

         vlan trunk native ID

         vlan trunk allowed ID1,ID2,ID3

         auth-mode device-mode

    Best Regards

    Chris




  • 5.  RE: Aruba IAP - dot1x tagged / untagged vlan

    Posted Jul 08, 2024 05:24 AM

    User roles would indeed be the way to do this... good that you found that.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------