Security

last person joined: 13 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Clarification on 802.1x and vlan enforcement

This thread has been viewed 0 times

  • 1.  Clarification on 802.1x and vlan enforcement

    Posted Mar 05, 2018 06:32 PM

    Hi,

     

    i am struggling here to make it work and i am wondering if you can confirm what i have learned so far:

     

    - I am on a HPE5406 Zl2 which has software lower than 16.02 (when all the cool stuff were introduced, including CoA etc)

    - I have clearpass 6.7 running, configured to authenticate and this part works.

    - Now i want to assign vlan to devices based on which group they are member of in AD

    - I have configured a 802.1x Service, and i can see the authentication going through correclty per group, the right enforcement policy is triggered, and the right profile is applied based on membership, so that group A gets profile A and group B gets profile B, i can see this clearly in access tracker

    - Problem is profile A should push VLAN 1 and profile B should push VLAN2. Despite the fact that in access tracker the right profile is shown, no vlan changes is happening.

     

    Now i think this is because (Please confirm):

    - I cannot use the aruba-user-vlan attributes in the profile because that won't work with the software i am running (below 16.02)

    - If i use snmp to force vlans, the Radius service does't work, i cannot have a radius service using snmp policies.

    - so the only way i can make this work is to user roles (and roles in the switch) instead of enforcements.

     

    Is it correct?

     

    thanks

     



  • 2.  RE: Clarification on 802.1x and vlan enforcement

    EMPLOYEE
    Posted Mar 05, 2018 06:35 PM
    Did you follow the ClearPass Solution Guide for Wired Policy Enforcement?


  • 3.  RE: Clarification on 802.1x and vlan enforcement

    Posted Mar 05, 2018 06:53 PM

    yes. thanks for your quick reply. 

     

    At the very beginning of the document there is a table which basically shows that what you can do with 802.1x and there is not mention of VLAN assignment, then there is snmp based enforcement, which says i can do vlan assignment, but how do i authenticate users if i dont have a 802.1x service?

     

    If I (which i did) create the enforcement policies that use snmp to push vlan assignment, then these policies do not show up in the enforcement tab so i cannot choose them if i am in the radius service.

     

    So basically if i use radius, i cannot use snmp vlan assignment, if i use snmp to assign vlan, i cannot authenticate with 802.1x.

     

    thanks



  • 4.  RE: Clarification on 802.1x and vlan enforcement
    Best Answer

    EMPLOYEE
    Posted Mar 05, 2018 07:02 PM
    You have to choose either RADIUS-based enforcement (recommended) or SNMP-based enforcement. VLAN can most definitely be assigned via RADIUS using a standard IETF VLAN enforcement or assigning it directly to the user role.


  • 5.  RE: Clarification on 802.1x and vlan enforcement

    Posted Mar 05, 2018 10:17 PM

    thanks heaps, using IETF on the switch worked.