Security

Hi,

I'm trying to find a way to enable a user to choose which VLAN they connect to when connecting to 1 single SSID.

I'm open to suggestions on how to do this, but one way I thought of was to use a Captive  Portal page.

The user connects to the page and then choose a VLAN from a list.

I believe that this would require the use of the Change of Authorization functionality on RADIUS, so my main quesiton is,

with Windows NPS as RADIUS, can we do a Change of Authorization,  and what else should we consider to enable this to work.

Any other suggestions on providing the described access control would also be appreciated.

Thanks

Why would you want the user to choose a different VLAN each time he connects?

This is a contradiction to how the Aruba network access model is made to work.

Aruba believes in role-based network access. This means that the network access is derived based on the user or client device (or both). This is why you need to put all clients in a role which defines their allowed access in the network.

This way, a user can access the resources he needs to no matter what VLAN the resources exists on.

This is a manufacturing environment.   The devices on each VLAN are not allowed to talk to devices on other VLANs as they are very sensitive to broadcast/multicast tracffic.

The operators of the devices need to access the manufacturing lines that are in all VLANs and they need to be on the VLAN that the line is on as some applications just use broadcast to find the host.

Currently, this is done by placing AP's near the manufacturing lines with a separate SSID for each line.

I'd like to have one SSID per plant and use Aruba's functionality to get the user on the right VLAN when they connect.

You could do this a couple of ways depending on what the customer is prepared to do back end.

1. You could have separate user accounts for each line so the user logs in with the appropriate account and is automatically assigned to the correct VLAN. This could be an 802.1x authentication method. This may involve a lot more user accounts being created on their user DB (Active Directory???) which may not be desirable.

2. As you stated you could ask the user on a captive portal page to specify the line they want to work on. This would assign a user-role which would have a specified VLAN assigned to it. The issue with this is that captive portal is a L3 authentication method meaning the user is already assigned an IP address. You would need to specify a short DHCP lease on the initial VLAN which launches the captive portal and the user would have to expect a disconnect before the connection became active. This would also rely on some captive portal customisation to get the options available.

Hi David,

In regards to option 2 that you described.  I thought that using the RADIUS Change of Authorization (CoA) functionality that I could have the user-reauthenticate when they selected the VLAN they wished to be placed on in the Captive Portal.

I have no experience with using CoA so I'm not sure it will work,  Do you know of any particular reason that CoA wouldn't work in this scenario ?

Thanks

RADIUS CoA would not cause the client to request a new IP address which would be required if they changed VLAN. I think you would still need a short DHCP lease time and the user to request a new IP address once the controller has assigned them the new VLAN.

David,

Are you versed in CoA and the Captive Portal customization to handle VLAN ovveride tagging from a RADIUS database?

Alex

---

@lee_d_m wrote:

This is a manufacturing environment.   The devices on each VLAN are not allowed to talk to devices on other VLANs as they are very sensitive to broadcast/multicast tracffic.

 

The operators of the devices need to access the manufacturing lines that are in all VLANs and they need to be on the VLAN that the line is on as some applications just use broadcast to find the host.

 

Currently, this is done by placing AP's near the manufacturing lines with a separate SSID for each line.

 

I'd like to have one SSID per plant and use Aruba's functionality to get the user on the right VLAN when they connect.

---

Why not use a single SSID that has preshared key and use the approach here:  http://community.arubanetworks.com/t5/Community-Tribal-Knowledge-Base/PSK-MAC-Address-based-VLAN-Steering/ta-p/85212

Unfortunately I don't think that will work.  The devices are mostly laptops and the operator needs to be able to access any of the vlans.

What they aren't allowed to do is access vlan a from vlan b etc, so when they are working on a machine line device that's on vlan a, their laptop needs to be connected to vlan a.

Thanks

So then, you have no choice.  You are a prisoner of your network design.