Wireless Access

 View Only
last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Expand all | Collapse all

Role/VLAN assignment for Web authenticated users

This thread has been viewed 11 times
  • 1.  Role/VLAN assignment for Web authenticated users

    Posted Nov 14, 2023 06:33 PM

    Hi experts,

    I'm testng one scenario for our customer. I have LAB with 1 standalone Controller 7010, 1 AP 515 and ClearPass and here is 1 SSID with Captive portal authentication and I need to assign 2 different VLANs for 2 different users. Every user has different CPPM role ([Guest], [Emploee]) on CPPM Guest and each role has its Enforcement Profile with Aruba-User-Role attruibute:

    SSID has Default VLAN 200 and user role Hauser has defined VLAN 201:

    Users authentication is working well, but both users has same VLAN on the Controller even if the assigned User Role is Hauser:

    Output from CPPM Access Tracker:

    Is it possible to change VLAN that way?

    Thanks and best regards


  • 2.  RE: Role/VLAN assignment for Web authenticated users
    Best Answer

    Posted Nov 16, 2023 09:52 AM

    Please do not change the VLAN when using a captive portal to gain access.  Doing so will orphan the client when you change the VLAN because the client device will not attempt another DHCP request.

    Assigning a VLAN as part of authentication is valid when using an L2 method like MAC Auth or 802.1X.  If you must change the VLAN of a device that has already been granted an IP address requires forcing a disconnect for that device. Then an L2 authentication process can assign the proper VLAN.  Note, Apple devices are not very tolerant of this behavior and will occasionally refuse to automatically reconnect to the network.

    Carson Hulcher, ACEX#110

  • 3.  RE: Role/VLAN assignment for Web authenticated users

    Posted Nov 16, 2023 10:51 PM

    captive portal is a L3 auth method so that means the IP and VLAN is already there before the auth happens.
    when you change VLAN mid connection, the IP won't get changed because from the user's perspective the network still up and won't trigger DHCP.

    in captive portal, you cannot just send radius attribute to change vlan like in dot1x, you also need to bounce the port using CoA so the network would get terminated and trigger the DHCP request.