Security

 View Only
  • 1.  RANDOM ANDROID DEVICE UNABLE TO RE-AUTHENTICATE TO THE CLEARPASS USING 802.1X WITH VLAN ENFORCEMENT CONFIGURATION

    Posted 13 days ago

    Good Day,

    I am implementing dynamic VLAN or VLAN enforcement in a university where each building is assigned different VLANs based on user roles. The client prefers this configuration as it simplifies the application of firewall policies for each building, if necessary, and aids in monitoring. The configuration works as intended, where users receive a dedicated VLAN based on their location.

    However, we have noticed an issue with some random Android devices. These devices are unable to obtain the correct VLAN or IP address based on the user's location unless the user manually performs a "Forget SSID" action on their device. Upon investigation, we found that the user's device does not re-authenticate with ClearPass when moving to another building. This prevents the device from being assigned the accurate VLAN for the new location.

    Issue Scenario:

    1. When a user connects to the SSID for the first time, ClearPass successfully authenticates the user and assigns the correct VLAN and IP address for that location.
    2. When the user moves to a different building and reconnects to the SSID, the device bypasses re-authentication with ClearPass. As a result, the device retains the VLAN and IP address assigned in the previous building, instead of receiving a new assignment for the current location.

    This issue appears to be specific to certain Android devices. iOS, Windows, and macOS devices always re-authenticate with ClearPass when users move between buildings, ensuring they receive the correct VLAN. Additionally, affected Android devices bypass the active session count policies because they fail to re-authenticate with ClearPass after the initial successful authentication.

    I just want to know if you have a solution in this issues or it is because android have different interpretation when it comes to 802.1x protocol

    Thank you, and I look forward to your guidance.



  • 2.  RE: RANDOM ANDROID DEVICE UNABLE TO RE-AUTHENTICATE TO THE CLEARPASS USING 802.1X WITH VLAN ENFORCEMENT CONFIGURATION

    Posted 12 days ago

    This is a really bad idea.  If you have a contiguous RF roaming domain, you shouldn't be forcing the device to grab a new IP address every time the device moves from one building to another.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 3.  RE: RANDOM ANDROID DEVICE UNABLE TO RE-AUTHENTICATE TO THE CLEARPASS USING 802.1X WITH VLAN ENFORCEMENT CONFIGURATION

    Posted 12 days ago

    Hello!

    With Controller we used L3 Mobility design to ensure that the client could seemlessly roam between campus buildings. What is this solution based on? AOS10 or AOS8 Controller?

    Regardless.. If an authentication is not triggered to Clearpass - it is most likley because fast roaming is in play - 802.11r/k/v and that not all devices support it. This is something you want to have active as turning this off kills your wifi-experience. You need to take a good look at your design again here mate.

    Read more about it https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/221671-understand-802-11r-11k-11v-fast-roams-on.html

     Also - read up on AOS10 design here - https://www.arubanetworks.com/techdocs/VSG/docs/035-campus-migrate/esp-campus-migrate-030-planning-iap/



    ------------------------------
    John-Egil Solberg |
    ACMX#316 | ACCX#902
    ------------------------------



  • 4.  RE: RANDOM ANDROID DEVICE UNABLE TO RE-AUTHENTICATE TO THE CLEARPASS USING 802.1X WITH VLAN ENFORCEMENT CONFIGURATION

    Posted 10 days ago

    Hello!

    Yes, I understand that 802.11k/r/v needs to be enabled for a better user experience. However, based on our testing, some Android devices do not re-authenticate to ClearPass when moving between different buildings, even though each building is approximately 100 to 200 meters apart. Ideally, users should re-authenticate when moving to a different building, as they are disconnected while roaming to the new location. Reauthentication works fine on iOS, Windows, macOS, and some Android devices, but there are cases where certain Android devices fail to re-authenticate. This prevents these devices from being assigned the correct VLAN for the new location.




  • 5.  RE: RANDOM ANDROID DEVICE UNABLE TO RE-AUTHENTICATE TO THE CLEARPASS USING 802.1X WITH VLAN ENFORCEMENT CONFIGURATION

    Posted 9 days ago

    If you have 802.11r enabled and the devices are fast roaming outside of the area that you want them to do so, then you need to configure the mobility ID to be different for the various areas.

    https://www.arubanetworks.com/techdocs/ArubaOS_8.12.0_Web_Help/Content/arubaos-solutions/virtual-ap/fast-bss-tran.htm



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 6.  RE: RANDOM ANDROID DEVICE UNABLE TO RE-AUTHENTICATE TO THE CLEARPASS USING 802.1X WITH VLAN ENFORCEMENT CONFIGURATION

    Posted 9 days ago

    Hello ! 

    This is new for me regarding the mobility ID. how I can configure this one. is this on clearpass or in a controller it self ? by the way we are using a single SSID in the whole universities then we implement dynamic vlan based on user role and AP Groups under cppm.




  • 7.  RE: RANDOM ANDROID DEVICE UNABLE TO RE-AUTHENTICATE TO THE CLEARPASS USING 802.1X WITH VLAN ENFORCEMENT CONFIGURATION

    Posted 9 days ago

    Did you look at the link I already provided?



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------