Wireless Access

 View Only
last person joined: 21 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

HPE 830 controller - Dynamic VLAN on 1 SSID

This thread has been viewed 1 times

  • 1.  HPE 830 controller - Dynamic VLAN on 1 SSID

    Posted Jul 03, 2021 04:25 AM

    Hi everyone!

    Anyone any experience with an HP 830 controller to implement Dynamic VLAN segmentation on 1 SSID.. with Clearpass or Radius?

    Would it be possible only with 802.1X authentication, or can this work with a captive portal to assign the VLAN after login depending on the credentials/vouchercode?

    Thanks!

    Kind regards,

    Cedric


    #ClearPass
    #Radius
    #dynamic
    #Controller
    #hp830
    #VLAN


  • 2.  RE: HPE 830 controller - Dynamic VLAN on 1 SSID

    EMPLOYEE
    Posted Jul 05, 2021 04:35 AM

    Hello @dewced 

    Assigning different VLANs in the same SSID is possible for 802.1x authentication and mac-authentication. The RADIUS server should return the standard RADIUS attributes Tunnel-Type, Tunnel-Medium-Type, ,Tunnel-group-ID. On the controller you have to make sure that the WLAN-ESS interface is configured as hybrid port and you have the mac-vlan feature enabled.

    It is a bit more complicated with captive portal. Captive portal feature on this controller is enabled on a VLAN interface and not on an SSID. So the user has to be already assigned to a VLAN before it can be redirected to a captive portal. Usually you can use mac-authentication in combination with captive portal for more flexibility. When the user connects to the SSID, mac-authentication happens and if the MAC is unknown the user is assigned first to a VLAN with portal authentication. This can be done either using the mac-authentication guest-vlan feature of the controller or using VLAN attributes from the RADIUS server.   Once redirected to the portal page if the user supplies correct credentials the MAC address is marked as known and the RADIUS server triggers CoA disconnect of the user. The user does a new mac-authentication which this time succeeds and a new VLAN can be assigned.

    So this is the basic idea how it should work, there are some details depending on which portal solution will be used. Several years ago the following technical note was released: UWW & ClearPass. How to configure Unified Wireless with ClearPass

    https://www.hpe.com/psnow/doc/a00100376en_us

    It contains example configuration for 802.1x, mac-authentication and guest access with mac-caching.  The controller examples are ensuring compatibility with ClearPass but I think the configuration of 802.1x and mac-authentication is valid for every RADIUS server. The guest solution is more specific to ClearPass.

    Please note that this document is from 2016 and I dont know if it was updated. The Unified controllers are end of sales since 2017 while ClearPass had many new versions in the meantime. So some things may not be valid any longer.

    Regarding CoA it is good to know that this controller has very limited support. It supports CoA request with 2 attributes only, Termination action with value 0 and session-timeout.



  • 3.  RE: HPE 830 controller - Dynamic VLAN on 1 SSID

    Posted Jul 05, 2021 09:56 AM

    Hello @Emil_G ,

    Really appreciate you took the time for elaborating your knowledge on this very well!

    I have more experience with Aruba network equipment in this area, that's why I posted the question here as we still have many customers with HP 830 controllers. Very nice to know what is still possible, and to know the limitations.

    The manual looks very interesting in any case, and can certainly be a good guideline despite it being slightly older. I'll be working on it in the coming weeks to work out a PoC. Thanks again for the input! Enjoy your day!


    Regards,
    Cedric



  • 4.  RE: HPE 830 controller - Dynamic VLAN on 1 SSID

    Posted Oct 04, 2021 04:40 PM

    Hi Emil,

    Most of the guide was still working, and we're using Clearpass + Radius on HPE 830 for dynamic vlan assignment already. Thanks for your input in this!

    The only thing we're struggling with for our HPE 830 needs is the "portal noc login-url", when using the link like the guide in combination with the GET attributes: https://10.0.2.253/guest/externalguestportal.php?nasid=%n&nasip=%a&loginport=%p&ipaddress=%c&mac=%m&original_url=%o then the attributes for loginport & nasid are not sent to Clearpass, the other values do appear in Clearpass. Is there any way to look into the controller to see how we can retrieve these values to send them to the captive portal => to Clearpass? Possibly this changed in a firmware update from the HPE 830?
    We need these for the CoA after a succesful authentication on the captive portal webpage, so that the connection can then login with the MAC authentication. All is working now when we re-trigger the connection manually, however not that user-friendly :-).
    AccessTracker1.png

    Maybe you still have some info on this. Thanks a lot, and enjoy your day!

    Kind regards,
    Cedric



  • 5.  RE: HPE 830 controller - Dynamic VLAN on 1 SSID

    EMPLOYEE
    Posted Oct 05, 2021 09:39 AM

    Hello

    Thanks for the feedback!

    This is the security configuration guide

    https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=emr_na-c04568074

    I dont have experience with such kind of issues.

    There seems to be a command which specifies which parameters are carried in the redirection url.

    "portal url-param include", on page 170 of this guide. Maybe you can enter this command with nas-id and check if it changes something.

    On page 160 you can also find the command "portal nas-id" to configure nas-id is in global system view or per interface. Maybe you can test if specifying nas-id here changes anything.

    I am not sure about loginport. I need to investigate.