Please do not change the VLAN when using a captive portal to gain access. Doing so will orphan the client when you change the VLAN because the client device will not attempt another DHCP request.
Assigning a VLAN as part of authentication is valid when using an L2 method like MAC Auth or 802.1X. If you must change the VLAN of a device that has already been granted an IP address requires forcing a disconnect for that device. Then an L2 authentication process can assign the proper VLAN. Note, Apple devices are not very tolerant of this behavior and will occasionally refuse to automatically reconnect to the network.
------------------------------
Carson Hulcher, ACEX#110
------------------------------
Original Message:
Sent: Nov 14, 2023 08:04 AM
From: Mauzr
Subject: Role/VLAN assignment for Web authenticated users
Hi experts,
I'm testng one scenario for our customer. I have LAB with 1 standalone Controller 7010, 1 AP 515 and ClearPass and here is 1 SSID with Captive portal authentication and I need to assign 2 different VLANs for 2 different users. Every user has different CPPM role ([Guest], [Emploee]) on CPPM Guest and each role has its Enforcement Profile with Aruba-User-Role attruibute:
SSID has Default VLAN 200 and user role Hauser has defined VLAN 201:
Users authentication is working well, but both users has same VLAN on the Controller even if the assigned User Role is Hauser:
Output from CPPM Access Tracker:
Is it possible to change VLAN that way?
Thanks and best regards
Vaclav