Hi becseven2395,
It is no problem to change the VLAN in the controller dynamically. The question is rather, how do the clients behave when the VLAN changes? The client must also change the IP address at that moment. You can set the DHCP leasetime to a few seconds so that the IP address is renewed very often.
If the client does not, there is no IP connectivity. You cannot influence the client behavior at this moment. But if there are problems, the users or the customer will come to you and ask for a solution, because you are responsible for the WLAN.
Change the VLAN manually and observe how the clients behave. Create a user role and set a specific VLAN in it. After a client has connected to WLAN, assign the role to it. Use the command "aaa user add mac-addr <macaddr> role <role>".
Keep in mind that by changing VLAN you might create more problems in the guest WLAN. If you want stable guest wifi, follow the best practice way from Aruba.
------------------------------
Regards,
Waldemar
ACCX # 1377, ACEP, ACA - Network Security
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------
Original Message:
Sent: May 04, 2023 09:59 PM
From: becseven2395
Subject: how to change user VLAN in Captive Portal Authentication ?
Hi Lord,
Thanks for the early reply.
I have read many articles and it is clearly not the best practice.
But my clients need that because they manage traffic at the firewall level.
Can I still try with this VLAN switch without problems?
Please give advice.
Thank all.
Original Message:
Sent: May 04, 2023 02:06 PM
From: lord
Subject: how to change user VLAN in Captive Portal Authentication ?
You can set a different VLAN in the post-auth role than in the pre-auth role. If you use ClearPass, you can set the role via radius vsa. If you have an internal captive portal without ClearPass, the initial role from the AAA profile is used as the pre-auth role, and the default role from the captive portal authentication profile is used as the post-auth role. After the role change the VLAN is also changed.
But as Herman already wrote, it is not a best practice.
Rather don't change the VLAN, just adjust the ACL for the pre-auth and post-auth roles.
------------------------------
Regards,
Waldemar
ACCX # 1377, ACEP, ACA - Network Security
If you find my answer useful, consider giving kudos and/or mark as solution
Original Message:
Sent: May 03, 2023 10:53 PM
From: becseven2395
Subject: how to change user VLAN in Captive Portal Authentication ?
Hi Jorge Calvi,
Congratulations on making it work.
We are also having problems changing vlan use when using Captive Portal.
Please let me know is your service still up and working fine?
Original Message:
Sent: Oct 31, 2022 10:47 AM
From: Jorge Calvi
Subject: how to change user VLAN in Captive Portal Authentication ?
Hi Herman, hope you are ok!, I was reading your comments about this topic,
its clear it is not a best practice, My customer needs to do that because they manage user traffic at vlan level, on their firewall, we were doing some test, using CoA after captive portal auth, and using the username attribute for the mac auth caching service attending this reauth, and it works but there are some time issues, regarding the username writing delay at the endpoint database, you have to make a 30 seconds delay for the captive portal auth to make it operational, I think it is as it is but if you have any other recommendation, it would be appreciated
Original Message:
Sent: Jun 06, 2016 04:17 AM
From: Herman Robers
Subject: how to change user VLAN in Captive Portal Authentication ?
Not all clients will honor the short DHCP lease time.
I'd like to repeat Tim's advice not to switch VLAN's for captive portals unless there is no other option available. As a last resort, VLAN switching may work but will probably bring you lots of issues.