Security

Hi!

I'm trying to setup a solution where the initial role has vlan x and after the user has authenticated with captive portal (internal via radius) the authenticated role gets vlan y.

show aaa debug vlan user ip x.x.x.x

VLAN types present for this User
================================

Default VLAN : y
Initial Role Contained : x

VLAN Derivation History
=======================

VLAN Derivation History Index : 12
1. VLAN 0 for Reset VLANs for Station up
2. VLAN y for Default VLAN
3. VLAN y for Current VLAN updated
4. VLAN x for Initial Role Contained
5. VLAN x for Current VLAN updated
6. VLAN x for VLAN exported
7. VLAN 0 for Reset VLANs for Station up
8. VLAN y for Default VLAN
9. VLAN y for Current VLAN updated
10. VLAN x for Initial Role Contained
11. VLAN x for Current VLAN updated
12. VLAN x for VLAN exported

Current VLAN : x (Initial Role Contained)

But the user seems to keep vlan x all the time, is this not supported ?

Not sure I understand this correctly, maybe my soultion isn't supported ?

https://community.arubanetworks.com/t5/Controller-Based-WLANs/How-does-L2-authentication-based-vlan-derivation-work-Explain/ta-p/177408

Not supported.  Mainly because the client has no way to detect that the VLAN has changed.

aha ok. I'm having issues with a pbr-route on the vlan interface of guests. So I figured I could just move them to another vlan temporary.

CP just won't redirect if I have pbr-route on the guestvlan interface.