Security

This community is currently in a read-only state due to a maintenance window. For more info click here
Reply
Highlighted
Occasional Contributor II

ClearPass CoA client not getting new VLAN IP address

I am building a guest network with ClearPass captive portal for authentication.  We are using the login page of the captive portal to allow AD users to connect their personal devices to the guest network.  We are sending them into different VLANs based on their AD group membership.  

 

In the enforcement profile, I am sending a CoA along with the new VLAN that the client should be placed into.  We see ClearPass sending the correct information to the Aruba controller along with the CoA.  The logs on the controller show the VLAN derivation it received from CPPM but the client does not reflect the correct IP address of the new VLAN.  

 

Its not until we disconnect and reconnect the client that it will get the IP address of the new VLAN.  Should we be sending a different Enforcement profile other than the Aruba Termination session and the Aruba User VLAN to get the user into the new VLAN?

Highlighted
Super Contributor II

Re: ClearPass CoA client not getting new VLAN IP address

In the CoA that gets sent back, do you have the [ArubaOS Wireless - Terminate Session] being send to bounce the connection?

 

 

Dustin Burns
Senior Mobility and Access Engineer @WEI
ACMX #509 | ACCX #1272 | ACSP | ACDA | ACEP | CCNP | CCDP | CCNA Wireless

If my post address your queries, give kudos and accept as solution!
Highlighted
Occasional Contributor II

Re: ClearPass CoA client not getting new VLAN IP address

Yes we are using the Aruba Wireless Terminate session.  The client does not get an IP address in the new VLAN unless we manually disconnect and reconnect the client.

Highlighted
MVP Expert

Re: ClearPass CoA client not getting new VLAN IP address

It is not recommended to change the VLAN when doing captive portal authentication .

Even if when sending a CoA the client won’t detect the change

What you should do is use the same VLAN pre and post authentication and use the controller firewall built-in capabilities to determine the type of access the user gets
Sent from Mail for Windows 10
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Highlighted
Guru Elite

Re: ClearPass CoA client not getting new VLAN IP address


@lvbeachlife wrote:

I am building a guest network with ClearPass captive portal for authentication.  We are using the login page of the captive portal to allow AD users to connect their personal devices to the guest network.  We are sending them into different VLANs based on their AD group membership.  

 

In the enforcement profile, I am sending a CoA along with the new VLAN that the client should be placed into.  We see ClearPass sending the correct information to the Aruba controller along with the CoA.  The logs on the controller show the VLAN derivation it received from CPPM but the client does not reflect the correct IP address of the new VLAN.  

 

Its not until we disconnect and reconnect the client that it will get the IP address of the new VLAN.  Should we be sending a different Enforcement profile other than the Aruba Termination session and the Aruba User VLAN to get the user into the new VLAN?


To be clear, a Captive Portal wireless network (one without encryption) should not be used to authenticate employee credentials because it is not secure.  It is much easier to assign employee VLANs using a WPA2/3 enterprise encrypted network and clearpass, because VLAN assignment takes place after authentication in a 802.1x network.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Video Knowledge Base
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: