Wired Intelligent Edge

so which VLAN does the wifi client gets?

you can compare your configuration against this technote that covers DUR for IAPs.

Aruba ClearPass Wired Enforcement for CX switches – Part6

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
------------------------------

Original Message:
Sent: Jun 01, 2025 06:11 PM
From: shamzudheen@connectit.ae
Subject: Tag multiple VLANs by role enforcement in Aruba-CX

 

Hi Team,

 

Locally configured role on Aruba-CX switch for InstantAPs. MAC authentication is enabled on the interface that the APs connect to on the switch. Service configured in ClearPass for AP MAC authentication.

 

port-acce role  WIFI-MANAGEMENT
vlan trunk native  110
vlan trunk allowed 110,112,120,125

Role enforcement works fine on switch port [Native VLAN untagged, Allowed VLANs tagged]. The problem is that when trying to connect devices on WiFi, it doesn't work properly. (The AP is not pushing to the correct VLAN -WLAN mapped-  which is tagged on the port)

But when the switch port is manually configured, the WiFi works fine. 

Are there any limitations to dynamic segmentation and user roles for instant APs on Aruba CX-Switches?

Reg,

Shamz

Hello ariyap,  

Thanks for your response.

I thing my problem is that i missed the below command in LUR (as you mentioned in  Aruba ClearPass Wired Enforcement for CX switches – Part3)

auth-mode device-mode 

Let me test and update

Reg,

Shamz

Original Message:
Sent: Jun 01, 2025 06:54 PM
From: ariyap
Subject: Tag multiple VLANs by role enforcement in Aruba-CX

so which VLAN does the wifi client gets?

you can compare your configuration against this technote that covers DUR for IAPs.

Aruba ClearPass Wired Enforcement for CX switches – Part6

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jun 01, 2025 06:11 PM
From: shamzudheen@connectit.ae
Subject: Tag multiple VLANs by role enforcement in Aruba-CX

 

Hi Team,

 

Locally configured role on Aruba-CX switch for InstantAPs. MAC authentication is enabled on the interface that the APs connect to on the switch. Service configured in ClearPass for AP MAC authentication.

 

port-acce role  WIFI-MANAGEMENT
vlan trunk native  110
vlan trunk allowed 110,112,120,125

Role enforcement works fine on switch port [Native VLAN untagged, Allowed VLANs tagged]. The problem is that when trying to connect devices on WiFi, it doesn't work properly. (The AP is not pushing to the correct VLAN -WLAN mapped-  which is tagged on the port)

But when the switch port is manually configured, the WiFi works fine. 

Are there any limitations to dynamic segmentation and user roles for instant APs on Aruba CX-Switches?

Reg,

Shamz

Hi

you can try the below and  change as per your Vlan ID this works for me

Vlan 10 is PC and Printer
Vlan 20 is for Phone
Vlan 1002 is the AP 

_____________________________________________

port-access lldp-group (AP-lldp-group)
     seq 20 match sys-desc IAP
     seq 21 match sys-desc AP
port-access role LLDP-AP
    vlan trunk native 1002
    vlan trunk allowed 10,20,1002 
port-access device-profile (AP-lldp-devprofile)
    enable
    associate role LLDP-AP
    associate lldp-group (AP-lldp-group)

apply the below to all interface 

interface 1/1/13
    no shutdown
    no routing
    vlan trunk native 10
    vlan trunk allowed 10,20,1002
    qos trust dscp
    loop-protect

Original Message:
Sent: Jun 01, 2025 06:54 PM
From: Ariya Parsamanesh
Subject: Tag multiple VLANs by role enforcement in Aruba-CX

so which VLAN does the wifi client gets?

you can compare your configuration against this technote that covers DUR for IAPs.

Aruba ClearPass Wired Enforcement for CX switches – Part6

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jun 01, 2025 06:11 PM
From: shamzudheen@connectit.ae
Subject: Tag multiple VLANs by role enforcement in Aruba-CX

 

Hi Team,

 

Locally configured role on Aruba-CX switch for InstantAPs. MAC authentication is enabled on the interface that the APs connect to on the switch. Service configured in ClearPass for AP MAC authentication.

 

port-acce role  WIFI-MANAGEMENT
vlan trunk native  110
vlan trunk allowed 110,112,120,125

Role enforcement works fine on switch port [Native VLAN untagged, Allowed VLANs tagged]. The problem is that when trying to connect devices on WiFi, it doesn't work properly. (The AP is not pushing to the correct VLAN -WLAN mapped-  which is tagged on the port)

But when the switch port is manually configured, the WiFi works fine. 

Are there any limitations to dynamic segmentation and user roles for instant APs on Aruba CX-Switches?

Reg,

Shamz

Hi lw25,

Thanks for your response and support.

 I added the command  auth-mode device-mode under the role in the switch and the issue has been solved.

Reg,

Shamz

Original Message:
Sent: Jun 02, 2025 03:44 AM
From: lw25
Subject: Tag multiple VLANs by role enforcement in Aruba-CX

Hi

you can try the below and  change as per your Vlan ID this works for me

Vlan 10 is PC and Printer
Vlan 20 is for Phone
Vlan 1002 is the AP 

_____________________________________________

port-access lldp-group (AP-lldp-group)
     seq 20 match sys-desc IAP
     seq 21 match sys-desc AP
port-access role LLDP-AP
    vlan trunk native 1002
    vlan trunk allowed 10,20,1002 
port-access device-profile (AP-lldp-devprofile)
    enable
    associate role LLDP-AP
    associate lldp-group (AP-lldp-group)

apply the below to all interface 

interface 1/1/13
    no shutdown
    no routing
    vlan trunk native 10
    vlan trunk allowed 10,20,1002
    qos trust dscp
    loop-protect

Original Message:
Sent: Jun 01, 2025 06:54 PM
From: Ariya Parsamanesh
Subject: Tag multiple VLANs by role enforcement in Aruba-CX

so which VLAN does the wifi client gets?

you can compare your configuration against this technote that covers DUR for IAPs.

Aruba ClearPass Wired Enforcement for CX switches – Part6

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jun 01, 2025 06:11 PM
From: shamzudheen@connectit.ae
Subject: Tag multiple VLANs by role enforcement in Aruba-CX

 

Hi Team,

 

Locally configured role on Aruba-CX switch for InstantAPs. MAC authentication is enabled on the interface that the APs connect to on the switch. Service configured in ClearPass for AP MAC authentication.

 

port-acce role  WIFI-MANAGEMENT
vlan trunk native  110
vlan trunk allowed 110,112,120,125

Role enforcement works fine on switch port [Native VLAN untagged, Allowed VLANs tagged]. The problem is that when trying to connect devices on WiFi, it doesn't work properly. (The AP is not pushing to the correct VLAN -WLAN mapped-  which is tagged on the port)

But when the switch port is manually configured, the WiFi works fine. 

Are there any limitations to dynamic segmentation and user roles for instant APs on Aruba CX-Switches?

Reg,

Shamz