Security

last person joined: 19 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

ClearPass CoA client not getting new VLAN IP address

This thread has been viewed 7 times

  • 1.  ClearPass CoA client not getting new VLAN IP address

    Posted Aug 24, 2020 03:32 PM

    I am building a guest network with ClearPass captive portal for authentication.  We are using the login page of the captive portal to allow AD users to connect their personal devices to the guest network.  We are sending them into different VLANs based on their AD group membership.  

     

    In the enforcement profile, I am sending a CoA along with the new VLAN that the client should be placed into.  We see ClearPass sending the correct information to the Aruba controller along with the CoA.  The logs on the controller show the VLAN derivation it received from CPPM but the client does not reflect the correct IP address of the new VLAN.  

     

    Its not until we disconnect and reconnect the client that it will get the IP address of the new VLAN.  Should we be sending a different Enforcement profile other than the Aruba Termination session and the Aruba User VLAN to get the user into the new VLAN?



  • 2.  RE: ClearPass CoA client not getting new VLAN IP address

    MVP GURU
    Posted Aug 24, 2020 03:54 PM

    In the CoA that gets sent back, do you have the [ArubaOS Wireless - Terminate Session] being send to bounce the connection?

     

     



  • 3.  RE: ClearPass CoA client not getting new VLAN IP address

    Posted Aug 24, 2020 04:26 PM

    Yes we are using the Aruba Wireless Terminate session.  The client does not get an IP address in the new VLAN unless we manually disconnect and reconnect the client.



  • 4.  RE: ClearPass CoA client not getting new VLAN IP address

    Posted Aug 24, 2020 04:31 PM
    It is not recommended to change the VLAN when doing captive portal authentication .

    Even if when sending a CoA the client won’t detect the change

    What you should do is use the same VLAN pre and post authentication and use the controller firewall built-in capabilities to determine the type of access the user gets
    Sent from Mail for Windows 10


  • 5.  RE: ClearPass CoA client not getting new VLAN IP address

    EMPLOYEE
    Posted Aug 24, 2020 10:13 PM
    @lvbeachlife wrote:

    I am building a guest network with ClearPass captive portal for authentication.  We are using the login page of the captive portal to allow AD users to connect their personal devices to the guest network.  We are sending them into different VLANs based on their AD group membership.  

     

    In the enforcement profile, I am sending a CoA along with the new VLAN that the client should be placed into.  We see ClearPass sending the correct information to the Aruba controller along with the CoA.  The logs on the controller show the VLAN derivation it received from CPPM but the client does not reflect the correct IP address of the new VLAN.  

     

    Its not until we disconnect and reconnect the client that it will get the IP address of the new VLAN.  Should we be sending a different Enforcement profile other than the Aruba Termination session and the Aruba User VLAN to get the user into the new VLAN?

    To be clear, a Captive Portal wireless network (one without encryption) should not be used to authenticate employee credentials because it is not secure.  It is much easier to assign employee VLANs using a WPA2/3 enterprise encrypted network and clearpass, because VLAN assignment takes place after authentication in a 802.1x network.