Security

 View Only
last person joined: 18 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

how to change user VLAN in Captive Portal Authentication ?

This thread has been viewed 60 times
  • 1.  how to change user VLAN in Captive Portal Authentication ?

    Posted Jun 01, 2016 05:50 AM

    hi

    I want to change the clients Vlan after he/she authenticate successfully via captive portal

    1- I have the following setup 

    2- Controller + RADIUS  server

    3 -SSID with Captive portal authentication 

    refering to this link http://community.arubanetworks.com/t5/Wireless-Access/Radius-COA/td-p/116267

    I see it is possible to give a user a dhcp lease for a short time 15 to 30 seconds , but switching user to other vlan after authentication is not working 

    I tried :

    1- setting the Vlan in the User-Role 

    2- setting the Vlan from Radius attributes 

    3- changing the server derivation rules  in the server group and see the following error "Error: Server Group "radius-group" assigned to cp/vpn cannot have vlan derivation rules"

     

     

    is there anyway to change the Vlan on captive portal authentication without CPPM ?



  • 2.  RE: how to change user VLAN in Captive Portal Authentication ?

    EMPLOYEE
    Posted Jun 01, 2016 05:56 AM
    It is not recommended to change the VLAN after a captive portal authentication. Many clients will not re-DHCP. Consider changing the role instead of the VLAN. 


  • 3.  RE: how to change user VLAN in Captive Portal Authentication ?

    Posted Jun 01, 2016 06:15 AM

    but the DHCP lease is very short 15 seconds , after user authentication

    1- the user moved to the new vlan with a new DHCP server in it 

    2- the user will wait maximum of 15 seconds and then will get a new IP address 

     

    i need this information



  • 4.  RE: how to change user VLAN in Captive Portal Authentication ?

    EMPLOYEE
    Posted Jun 06, 2016 04:17 AM

    Not all clients will honor the short DHCP lease time.

     

    I'd like to repeat Tim's advice not to switch VLAN's for captive portals unless there is no other option available. As a last resort, VLAN switching may work but will probably bring you lots of issues.



  • 5.  RE: how to change user VLAN in Captive Portal Authentication ?

    Posted Jun 06, 2016 05:40 AM

    yes thank you for your advice , i know it is not recommended , but i need to do this config for testing purposes 



  • 6.  RE: how to change user VLAN in Captive Portal Authentication ?

    EMPLOYEE
    Posted Oct 31, 2022 10:47 AM

    Hi Herman, hope you are ok!, I was reading your comments about this topic,

     its clear it is not a best practice, My customer needs to do that because they manage user traffic at vlan level, on their firewall, we were doing some test, using CoA after captive portal auth, and using the username attribute for the mac auth caching service attending this reauth, and it works but there are some time issues, regarding the username writing delay at the endpoint database, you have to make a 30 seconds delay for the captive portal auth to make it operational, I think it is as it is but if you have any other recommendation, it would be appreciated

     




  • 7.  RE: how to change user VLAN in Captive Portal Authentication ?

    EMPLOYEE
    Posted Nov 01, 2022 07:17 AM
    If you have a 30 second latency for database writes, there is something seriously wrong with your deployment. 5 or 10 seconds max should be enough for the database to sync. And for the client, a port bounce should probably take at least 20 seconds for the client to drop it's IP reliably, which means that the database sync should never be the issue in this case. If you see such high delays, please work with Aruba TAC Support to investigate how that can happen.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 8.  RE: how to change user VLAN in Captive Portal Authentication ?

    Posted May 03, 2023 10:53 PM

    Hi Jorge Calvi,
    Congratulations on making it work.
    We are also having problems changing vlan use when using Captive Portal.
    Please let me know is your service still up and working fine?






  • 9.  RE: how to change user VLAN in Captive Portal Authentication ?

    Posted May 04, 2023 02:07 PM

    You can set a different VLAN in the post-auth role than in the pre-auth role. If you use ClearPass, you can set the role via radius vsa. If you have an internal captive portal without ClearPass, the initial role from the AAA profile is used as the pre-auth role, and the default role from the captive portal authentication profile is used as the post-auth role. After the role change the VLAN is also changed.

    But as Herman already wrote, it is not a best practice.
    Rather don't change the VLAN, just adjust the ACL for the pre-auth and post-auth roles.



    ------------------------------
    Regards,

    Waldemar
    ACCX # 1377, ACEP, ACA - Network Security
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 10.  RE: how to change user VLAN in Captive Portal Authentication ?

    Posted May 04, 2023 09:59 PM
    Hi Lord,
    Thanks for the early reply.
     
    I have read many articles and it is clearly not the best practice.
    But my clients need that because they manage traffic at the firewall level.
    Can I still try with this VLAN switch without problems?
    Please give advice.
     
    Thank all.



  • 11.  RE: how to change user VLAN in Captive Portal Authentication ?

    Posted May 06, 2023 07:38 AM

    Hi becseven2395,

    It is no problem to change the VLAN in the controller dynamically. The question is rather, how do the clients behave when the VLAN changes? The client must also change the IP address at that moment. You can set the DHCP leasetime to a few seconds so that the IP address is renewed very often.

    If the client does not, there is no IP connectivity. You cannot influence the client behavior at this moment. But if there are problems, the users or the customer will come to you and ask for a solution, because you are responsible for the WLAN.

    Change the VLAN manually and observe how the clients behave. Create a user role and set a specific VLAN in it. After a client has connected to WLAN, assign the role to it. Use the command "aaa user add mac-addr <macaddr> role <role>". 

    Keep in mind that by changing VLAN you might create more problems in the guest WLAN. If you want stable guest wifi, follow the best practice way from Aruba.



    ------------------------------
    Regards,

    Waldemar
    ACCX # 1377, ACEP, ACA - Network Security
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 12.  RE: how to change user VLAN in Captive Portal Authentication ?

    MVP EXPERT
    Posted 30 days ago

    Hi,

    we have an issue with  running  out of Ip addresses  on our guest vlan given the fact that its an open network and every man and their dog connects to it and gets an IP address.

    On a switch ou can do a CoA to bounce a switch port  specifying the "down" time therby forcing the client. to do another dhcp request. Can we not use the same. method for the captive portal vlan e.g  set up profiling in the clearpass service and. do aruba wireless bounce switch port.

    A




  • 13.  RE: how to change user VLAN in Captive Portal Authentication ?

    EMPLOYEE
    Posted 30 days ago

    Why not just set the DHCP lease duration to a lower time?



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------