I agree with @Herman Robers VLAN pools can get messy. Keep in mind large broadcast domains are less an issue for wireless only subnets, where you have a controller tunneling user traffic.
The high level process would be to add an additional Role Mapping Condition to your Role Mapping Policy. Could also be done with single stage, Enforcement only Policy, but this depends on how many conditions/factors you need, in order to output a particular Enforcement Profile.
The Condition is pretty straight forward - [Based on source AP Group] Type=Radius:Aruba / Name=Aruba-AP-Group / Operator=Equals / Value:Campus_1
And the action would assign a Role - You could then build Role+Role logic in your Enforcement Policy. And Create an Enforcement Profile that sends an Aruba Role and/or the VLAN.
Let me know if that makes sense.
------------------------------
If my post was useful, please Accept Solution and Give Kudos.
------------------------------
Zak Chalupka
Principal Engineer - HPE Aruba
ACDX | ACMP | ACSP | ACCP
wifizak@hpe.com------------------------------
Ideas expressed here are solely my own and not necessarily that of HPE Aruba.
------------------------------
Original Message:
Sent: Feb 26, 2024 02:30 PM
From: ajorigenes17
Subject: Clearpass single SSID with vlan pool base on ap groups
I use 7205 controller with aruba 555 access point and 6.12 cppm
Original Message:
Sent: Feb 26, 2024 11:19 AM
From: Herman Robers
Subject: Clearpass single SSID with vlan pool base on ap groups
You probably should not use VLAN-pools, a single VLAN with proper broadcast/multicast filtering is recommended in most cases.
In a deployment like this, I would use named-VLANs, and return the VLAN name, which could be STAFF, then in the AP/controller/gateway/AP map the VLAN name to a VLAN (or multiple VLANs for pooling). What network equipment (APs) and architecture (Instant, AOS10, controller based Aruba, non-Aruba) do you have?
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Feb 26, 2024 09:50 AM
From: ajorigenes17
Subject: Clearpass single SSID with vlan pool base on ap groups
Hello everyone I want to setup a 1 single ssid with vlan pool based on ap groups. what I want to achieve is that each campus have different vlan with single ssid that will broadcast in all ap groups .
CAMPUS 1 : STAFF VLAN IS 20 AND 21
CAMPUS 2 : STAFF VLAN IS 22 AND 23
CAMPUS 3: STAFF VLAN IS 24 AND 25
this vlans will be assigned in 1 ssid using vlan pool. and I want to create anpolicy roles and profiles in clearpass that if the STAFF/USER will be in campus 1 he will be assigned in vlan 20 or 21 same thing with other campus based on the ap groups .
can anyone help me how to achieved this since I've been testing this for almost a week and it wont work based on my preference setup.