Security

My configurations:

1. Guest logon to open network with a temporary vlan to be captive portal by ClearPass Guest.
2. ClearPass Guest account created and assigned a role in one of these three roles: [Employee], [Guest], and [Contractor]
3. In the controller three roles were created: Employee, Guest, and Contractor and designed to map correctly to the role in ClearPass Guest account
4. In the controller three vlans also created to map guest roles according to its vlan.

Everything is working correctly as design, guest is authenticated and mapped to correct role in the controller.  However, guest vlan is not mapped, guest stays in the same vlan that he was first connected.

 

My settings at the controller:

• Server-group include Role/VLAN derivation rules for attributes “Aruba-User-Vlan”, “Aruba-User-Role”
• RFC-3576-server was configured and included in aaa profile

My settings at CPPM:

• Two services:

1. Application service to captive portal guest and check guest user from ClearPass Guest
2. Radius service to map guest to Enforcement profile

• Enforcement profile for each role include two attributes to send back to controller: “Aruba-User-Vlan” and “Aruba-User-Role”.  The Aruba-User-Role is OK, but Aruba-User-Vlan is not
• Radius CoA was enable.

 Am I missing anything?

Thanks,

 

Are you using Captive Portal for authentication?

 

Colin,

Yes, yes I use ClearPass Guest Captive Portal for authentication.

Thanks for quick response.

Well, the only way that a guest will change vlans is if the wifi link goes down and up, or their dhcp lease expires and they renew with a different address.

Some clients will not re-DHCP when the VLAN is changed out from under them.


Thanks,
Tim

Just going to throw my experience in the ring. Most importantly, your mileage may very.

 

A partner and I labbed this up and tested it, where it worked with Windows, OSX, Android, and iOS. Below I have modified the instructions for 6.5 MAC Caching Service. Please re-create your guest services from scratch in 6.5 using the Start Here option and selecting Guest Authentication with MAC Caching. Then make the following modifications:

 

1. The result of ALL Successful logins on the RADIUS service is Aruba-Terminate-Session, instead of a RADIUS Accept or an Aruba-User-Role. Leave all other enforcement profiles, as we will need the Endpoint:MAC-Auth Expiry in order for MAC Caching to work.
2. Aruba-User-Role is passed back as part of the MAC Caching service. Make sure the Aruba-User-Role that is being passed back matches exactly the User Roles on your Aruba Controller, and you have configured the appropriate VLAN on the controller for that role. You will need to modify the enforcement in order to pass back the Aruba-User-Role instead of the Allow Access Profile and break out different Aruba-User-Role enforcement profiles for each guest type.

There may be some operating systems that get stuck to their IP address and wont re-DHCP, I know Windows 7 wired VLAN changes don't work without a bounce port. Give this a try and let us know your results. Most users will disable and re-enable their wireless if they cannot get to the internet, at which point they will be on the correct VLAN if the Aruba-Terminate-Session didn't get their device to release its DHCP address.

Another thing that has worked in past is to give the initial guest vlan DHCP server very short leases like 30 seconds or less.  According to the standard, if the DHCP lease is 30 seconds, the client will try to re-dhcp on the initial VLAN every 15 seconds, so when you switch the VLAN, the client will pick it up when IT re-dhcps.

 

 According to the standard, if the DHCP lease is 30 seconds, the client will try to re-dhcp on the initial VLAN every 15 seconds, so when you switch the VLAN, the client will pick it up when IT re-dhcps

Colin,

I tried to DHCP lease to 1 minute, the shortest time that Windows server DHCP can do.  Lease expiration changes, but client get the same ip address every minute.  The client has not jumped to the designed VLAN.

The controller internal database can do seconds, FYI.

 

When you type "show user-table verbose" can you see that the user has switched VLANs?  the current vlan is in parenthesis.  If not, you have to check to make sure that the Aruba-User-Vlan attribute is being sent back correctly.

It is the DHCP issue.  It seems like the host does not want to release and move to the new network.  Fortunately, I can use just one vlan with firewall rules to control host.

Kudos to Colin for many good advices.  

Thanks,

Zach,
Thanks for detail and interesting explanation. I excerpt #2 from your suggestion: It looks like in your design the service does not need to pass back “Aruba-User-Vlan” to controller. Somehow you can match a role to Vlan at the controller.
Aruba-User-Role is passed back as part of the MAC Caching service.
Make sure the Aruba-User-Role that is being passed back matches exactly the User Roles on your Aruba Controller (Yes, this part is working)
You have configured the appropriate VLAN on the controller for that role. (Yes, I have three VLANs for three roles Employee, Guest, and Contractor. How can I connect them?)
You will need to modify the enforcement in order to pass back the Aruba-User-Role instead of the Allow Access Profile (Yes, the Aruba-User-Role from CPPM passes back to controller and user gets that role)
Break out different Aruba-User-Role enforcement profiles for each guest type (Yes, done)