Wireless Access

 View Only
Expand all | Collapse all

Device isolation methods/VLAN assignment in roles

This thread has been viewed 12 times
  • 1.  Device isolation methods/VLAN assignment in roles

    Posted Nov 23, 2023 04:29 PM


    We use ClearPass 6.11 for IoT device registration, and have an AOS set-up with MCR and standby MCR plus 10 controller cluster.

    We currently use the built-in ClearPass page for personal device registration for our IoT SSID. This works ok, we don't do anything fancy but we run Airgroup to restrict discovery to only devices registered by the same user.

    We are now going to develop our own device registration interface to allow users to register their personal devices (as now) but also to allow institutions within the university to register their own institutional devices. Institutional devices are a little more problematic than personal in that we would want to separate different institutions' devices from each other, but there might be some categories of devices within that (eg some BMS devices, perhaps door controllers etc) that would need some visibility of each other. Perhaps the arrival of PANs will provide a solution but will we only see that in AOS10? In the meantime is our best bet to assign different user roles to different institution's devices and different types of device?

    At a basic level it looks like we can assign the VLAN ID in a user role (I'm assuming putting a device into a role with a VLAN specified will 'just work' in terms of putting that device on that VLAN) , but it's a tunnelled SSID with a single VLAN (we don't want to get into bridging the SSID, or creating multiple VLANs for different institutions), so it's a large broadcast domain.

    It's a problem that could turn into a wormhole as more and more use-cases are identified, though we aim to start as simple as we can, so any advice is appreciated!


  • 2.  RE: Device isolation methods/VLAN assignment in roles

    Posted Nov 24, 2023 01:38 AM

    I am not sure if i got you correctly with your description, but for the VLAN ID, you can't get rid of creating multiple VLANs. However, there is a easier way to manage them for which you can use Named VLANs on the vAP Profile configuration. You can name the VLAN for example: "Institution X" and then within Institution X, you can call multiple VLAN IDs, for example: 100, 101, 102, 103. Each of the VLAN IDs can, for example, into /24 subnet. Then, if you need devices to communicate from VLAN 100 with the ones in VLAN 101, you can perform Inter-VLAN Routing.

    But i guess, you already know this option.


    Shpat | ACEP | ACMP | ACCP | ACDP |
    -Just an Aruba enthusiast and contributor by cases-