That would be one option, but be aware that the client will need to do a DHCP renew when switching VLAN, which is why VLAN switching is not really recommended. It would be better to switch roles (to control traffic) and stick in the same VLAN; but if it works and is well tested, VLAN switching may work. For example roaming profiles may break/get corrupted if you switch VLAN in the middle of retrieving/saving. For that reason, just doing computer authentication and/or not switching VLANs may be the better option.
In short, if you have machine+user, the computer will authenticate with the computer account when nobody is logged on, and reauthenticate as user when a user signs in.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Jan 05, 2023 09:06 AM
From: Alon Haber
Subject: Clearpass - Connecting from VPN with RDP
So if I am doing machine authentication.
I can Gives it specific VLAN when it is loggod of, and another VLAN if it login (VLAN assigning according to the user AD credentials)?
I am not sure what is the flow when I am using both machine authentication and user authentication according to AD.
------------------------------
Best regards,
Alon Haber
Original Message:
Sent: Jan 04, 2023 05:53 AM
From: Herman Robers
Subject: Clearpass - Connecting from VPN with RDP
That probably would work. Still, I would recommend configuring computer/machine authentication such that a logged-off computer can authenticate to the network rather than allowing even unauthenticated clients to connect to your AD services.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Jan 04, 2023 04:39 AM
From: Alon Haber
Subject: Clearpass - Connecting from VPN with RDP
I am doing authentication on that port.
But I want to have some default VLAN that gives access to DHCP, DC, and Clearpass.
Can't I put VLAN 999 in access, and only after authentication to replace the Vlan according to the User's AD credentials?
------------------------------
Best regards,
Alon Haber
Original Message:
Sent: Jan 02, 2023 10:26 AM
From: Colin Joseph
Subject: Clearpass - Connecting from VPN with RDP
If you are not doing any type of authentication on that port, yes.
------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
Original Message:
Sent: Jan 02, 2023 10:11 AM
From: Alon Haber
Subject: Clearpass - Connecting from VPN with RDP
If I put the interface on vlan access 999 and have connectivity in this VLAN (with access to DHCP server and to clearpass)
Wouldn't it be enough for the machine to get IP address in vlan 999 ?
------------------------------
Best regards,
Alon Haber
Original Message:
Sent: Jan 01, 2023 09:33 PM
From: Colin Joseph
Subject: Clearpass - Connecting from VPN with RDP
You would have to configure machine authentication on the client machine for the device to have an ip address when logged out.
------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
Original Message:
Sent: Jan 01, 2023 06:12 AM
From: Alon Haber
Subject: Clearpass - Connecting from VPN with RDP
Hi,
I setup Clearpass cluster and assign VLANs to a workstation according to its Active directory user login.
When the workstation is logged out there is no active VLAN on the port. Only dum VLAN (999) which is not configured on the network, only locally on the switches.
As soon as login is processed, the interface got the correct VLAN for the user.
My problem is when a client wants to connect to the workstation with RDP.
When the workstation is not logged in, it has no IP address. So there isn't an option to connect to it.
What is the best solution for that kind of problem?
Generating a transition VLAN is the only possible way?
And if it does, Do you have any suggestions what is the most secure way to configure this transition VLAN?
------------------------------
Best regards,
Alon Haber
------------------------------