Security

Reply
Guru Elite

Re: ClearPass Machine and User Auth VLAN Query

The question is, why are you returning a VLAN? Just return an accept, and both the user and computer will be in the VLAN under the Virtual AP profile. Returning a different VLAN for user and computer authentication will break connectivity and is not needed in the majority of situations. Wired computers do not put the computer and user in different vlans and they work just fine. You should follow that model.

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Highlighted
Contributor I

Re: ClearPass Machine and User Auth VLAN Query


@cjoseph wrote:
Wired computers do not put the computer and user in different vlans and they work just fine. You should follow that model.


This was something I brought up, but they insisted on doing it anyway.

 

TAC came up with a complete hack by writing a heap of 'post authentication' policies which was very messy.  My client has decided that it was too hard to maintain long term.It worked, but when running a continueous ping to the IP address as it changed from computer auth to user auth on the SSID, connecvity dropped for about 6 seconds every time, which negates their requirement.

 

Thanks for the responses.

Contributor I

Re: ClearPass Machine and User Auth VLAN Query


@cjoseph wrote:
The question is, why are you returning a VLAN? Just return an accept, and both the user and computer will be in the VLAN under the Virtual AP profile.

I tried returning an 'accept' profile with no VLAN. But the VLAN set in the VAP profile had nothing to do with the dynamic VLAN that the computer had been put in to.

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: