Wireless Access

 View Only
last person joined: 3 days ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Expand all | Collapse all

Clearpass single SSID with vlan pool base on ap groups

This thread has been viewed 20 times
  • 1.  Clearpass single SSID with vlan pool base on ap groups

    Posted Feb 26, 2024 09:50 AM

    Hello everyone I want to setup a 1 single ssid with vlan pool based on ap groups. what I want to achieve is that each campus have different vlan with single ssid that will broadcast in all ap groups .

    CAMPUS 1 : STAFF VLAN IS 20 AND 21

    CAMPUS 2 : STAFF VLAN IS 22 AND 23

    CAMPUS 3: STAFF VLAN IS 24 AND 25

    this vlans will be assigned in 1 ssid using vlan pool. and I want to create anpolicy roles and profiles in clearpass that if the STAFF/USER will be in campus 1 he will be assigned in vlan 20 or 21 same thing with other campus based on the ap groups .

    can anyone help me how to achieved this since I've been testing this for almost a week and it wont work based on my preference setup.



  • 2.  RE: Clearpass single SSID with vlan pool base on ap groups

    Posted Feb 26, 2024 11:18 AM

    Are you using Aruba Wireless?

    What type of auth/encryption is the SSID configured with?



    ------------------------------
    If my post was useful, please Accept Solution and Give Kudos.
    ------------------------------
    Zak Chalupka
    Principal Engineer - HPE Aruba
    ACDX | ACMP | ACSP | ACCP
    wifizak@hpe.com
    ------------------------------
    Ideas expressed here are solely my own and not necessarily that of HPE Aruba.
    ------------------------------



  • 3.  RE: Clearpass single SSID with vlan pool base on ap groups

    Posted Feb 26, 2024 11:20 AM

    You probably should not use VLAN-pools, a single VLAN with proper broadcast/multicast filtering is recommended in most cases.

    In a deployment like this, I would use named-VLANs, and return the VLAN name, which could be STAFF, then in the AP/controller/gateway/AP map the VLAN name to a VLAN (or multiple VLANs for pooling). What network equipment (APs) and architecture (Instant, AOS10, controller based Aruba, non-Aruba) do you have?



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 4.  RE: Clearpass single SSID with vlan pool base on ap groups

    Posted Feb 26, 2024 02:30 PM

    I use 7205 controller with aruba 555 access point and 6.12 cppm




  • 5.  RE: Clearpass single SSID with vlan pool base on ap groups

    Posted Feb 26, 2024 03:20 PM

    I agree with @Herman Robers VLAN pools can get messy. Keep in mind large broadcast domains are less an issue for wireless only subnets, where you have a controller tunneling user traffic. 

    The high level process would be to add an additional Role Mapping Condition to your Role Mapping Policy. Could also be done with single stage, Enforcement only Policy, but this depends on how many conditions/factors you need, in order to output a particular Enforcement Profile.  

    The Condition is pretty straight forward - [Based on source AP Group] Type=Radius:Aruba / Name=Aruba-AP-Group / Operator=Equals / Value:Campus_1

    And the action would assign a Role - You could then build Role+Role logic in your Enforcement Policy. And Create an Enforcement Profile that sends an Aruba Role and/or the VLAN.

    Let me know if that makes sense.



    ------------------------------
    If my post was useful, please Accept Solution and Give Kudos.
    ------------------------------
    Zak Chalupka
    Principal Engineer - HPE Aruba
    ACDX | ACMP | ACSP | ACCP
    wifizak@hpe.com
    ------------------------------
    Ideas expressed here are solely my own and not necessarily that of HPE Aruba.
    ------------------------------