Security

Having read a lot of posts, I'm still not sure if this is achievable or not.

1 SSID, multiple sites. SSID needs to bridge traffic locally and obtain local DHCP.

When I configure a bridged SSID, it asks for a VLAN number. Some sites its the same number, some different. All are obviously different local subnets. Authentication is all the same. 802.1x via ClearPass/AD integration. 

Is this actually possible? I'm guessing by getting ClearPass to issue the VLAN, but I'm a bit confused how this is setup due to the VMC forcing a VLAN number config when setting to bridged.

Am I looking at this wrong, should there be a different method?

How many of these sites you have will determine your strategy.  Bridged mode SSIDs are discouraged; Aruba Instant is encouraged in situations when you don't want to place a controller at a site, but have all traffic be local.

There are about 14-18 sites.We don't have a choice to use IAPs as the solution is already purchased, so we have to work with that.

So still looking to understand the points on the first post, is it and how is it possible? Many thanks.

If at each site, you will be placing the user on the same VLAN as the access point, you can just use VLAN 1 and that will make the user traffic untagged.

If that is not the case, you will have to come up with a enforcement policy in clearpass returns the aruba-user-VLAN attribute based on what the user authentication sends, like the ap-group, maybe.

I was hoping they were all the same VLAN number, but turns out not the case. So the enforcement policy sounds like my only option.

Some more questions, I'm assuming the client initially gets some kind of central "guest" IP address (from the controller?), before ClearPass (via enforcement) passes back the correct VLAN, then would it re-DHCP into a bridged mode onto a local LAN and pick an IP address off the local server?

I will setup an AP group per site.

I would say that this design is inefficient.  The number of rules that you have to write and maintain just to deploy one AP at a site would make management very challenging.  If each site does not have its own internet and most traffic goes back to the headend/datacenter I would make the SSID tunneled.

To answer your question:

The Virttual AP (WLAN) is typically defined with a VLAN and that can be overridden by the radius attribute that you return from ClearPass, depending on the ap-group.  The client will obtain this VLAN unless you return the aruba-user-vlan attribute overriding it through clearpass.  There is no re-dhcp, because during authentication the user either gets the default vlan or the modified vlan from clearpass.  Again, if this is a small site, and the users will be on the same layer 2 VLAN as the access point, you can just configure the WLAN with VLAN 1 and all of the user traffic will be untagged, by default, avoiding a rule for each site.

OK thanks.

Yes I totally agree its inefficient and not the best way, but the decision has been made by the customer to bridge traffic locally due to the bandwidth usage by client devices to local servers, Rather than hairpin back from the central VMC across the WAN to where it started. Internet is central. I'd much rather tunnel it all back, but unfortunately can't do that.

The APs will drop into a mgmt VLAN, but this SSID will fall into another VLAN where the server and PCs exist, Users roam between sites so has to be the same SSID everwhere, but the local VLAN will differ at some sites, hence looks like we will have to use ClearPass to push out the VLAN.

You can add an "Attribute" with the VLAN ID number to device under Confiiguration > Network > Devices > Attribute tab .... then use this attribute to place the client under the local VLAN. Works for me.

AP