I want to change the clients Vlan after he/she authenticate successfully via captive portal
1- I have the following setup
2- Controller + RADIUS server
3 -SSID with Captive portal authentication
refering to this link http://community.arubanetworks.com/t5/Wireless-Access/Radius-COA/td-p/116267
I see it is possible to give a user a dhcp lease for a short time 15 to 30 seconds , but switching user to other vlan after authentication is not working
I tried :
1- setting the Vlan in the User-Role
2- setting the Vlan from Radius attributes
3- changing the server derivation rules in the server group and see the following error "Error: Server Group "radius-group" assigned to cp/vpn cannot have vlan derivation rules"
is there anyway to change the Vlan on captive portal authentication without CPPM ?
but the DHCP lease is very short 15 seconds , after user authentication
1- the user moved to the new vlan with a new DHCP server in it
2- the user will wait maximum of 15 seconds and then will get a new IP address
i need this information
Not all clients will honor the short DHCP lease time.
I'd like to repeat Tim's advice not to switch VLAN's for captive portals unless there is no other option available. As a last resort, VLAN switching may work but will probably bring you lots of issues.
yes thank you for your advice , i know it is not recommended , but i need to do this config for testing purposes
Hi Herman, hope you are ok!, I was reading your comments about this topic,
its clear it is not a best practice, My customer needs to do that because they manage user traffic at vlan level, on their firewall, we were doing some test, using CoA after captive portal auth, and using the username attribute for the mac auth caching service attending this reauth, and it works but there are some time issues, regarding the username writing delay at the endpoint database, you have to make a 30 seconds delay for the captive portal auth to make it operational, I think it is as it is but if you have any other recommendation, it would be appreciated
Hi Jorge Calvi,Congratulations on making it work.We are also having problems changing vlan use when using Captive Portal.Please let me know is your service still up and working fine?
You can set a different VLAN in the post-auth role than in the pre-auth role. If you use ClearPass, you can set the role via radius vsa. If you have an internal captive portal without ClearPass, the initial role from the AAA profile is used as the pre-auth role, and the default role from the captive portal authentication profile is used as the post-auth role. After the role change the VLAN is also changed.
But as Herman already wrote, it is not a best practice.Rather don't change the VLAN, just adjust the ACL for the pre-auth and post-auth roles.
Hi becseven2395,It is no problem to change the VLAN in the controller dynamically. The question is rather, how do the clients behave when the VLAN changes? The client must also change the IP address at that moment. You can set the DHCP leasetime to a few seconds so that the IP address is renewed very often.If the client does not, there is no IP connectivity. You cannot influence the client behavior at this moment. But if there are problems, the users or the customer will come to you and ask for a solution, because you are responsible for the WLAN.Change the VLAN manually and observe how the clients behave. Create a user role and set a specific VLAN in it. After a client has connected to WLAN, assign the role to it. Use the command "aaa user add mac-addr <macaddr> role <role>". Keep in mind that by changing VLAN you might create more problems in the guest WLAN. If you want stable guest wifi, follow the best practice way from Aruba.
© Copyright 2023 Hewlett Packard Enterprise Development LPAll Rights Reserved.