Security

Reply
Highlighted
Occasional Contributor II

Dynamic VLAN assignment with a single enforcement profile

I would like to dynamically assign a VLAN to a port without having an enforcement profile by using a variable for assigning the vlan.

my question is which variable I could/should use for that?

Is this possible via assigning a user role? If not, is there any other way I could assign a value to a variable during the authentication process and use that value for the vlan assignment?

Highlighted
Guru Elite

Re: Dynamic VLAN assignment with a single enforcement profile

Highlighted
Occasional Contributor II

Re: Dynamic VLAN assignment with a single enforcement profile

Hi cjoseph,

 

thanks for the link. That is actually the link that I found before that let me think this might be possible.
However in that link the VLAN is preconfigured on the device, a switch.

I want to use this for users though, so if a user is authenticated the process would "somehow" pass the vlan-id value to the enforcement profile via a variable.... this "somehow" is unclear for me though how I could achieve this

Highlighted
Guru Elite

Re: Dynamic VLAN assignment with a single enforcement profile

What exactly is your situation?  I don't want to send you alot of information without knowing your problem.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Video Knowledge Base
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide
Highlighted
Occasional Contributor II

Re: Dynamic VLAN assignment with a single enforcement profile

maybe I explained it too complicated, sorry.

I want to authenticate users via dot1x and MAB and assign the correct VLAN, a basic use case.

however I would like to avoid creating an enforcement profile for every single VLAN I would assign, I would much rather use a "Dynamic VLAN assignment" enforcement profile which would use a variable as the VLAN which I could somehow assign during the authentication process.

Highlighted
Guru Elite

Re: Dynamic VLAN assignment with a single enforcement profile

Got it.

 

What would determine the VLAN, then, the user group membership in AD?


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Video Knowledge Base
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide
Highlighted
Occasional Contributor II

Re: Dynamic VLAN assignment with a single enforcement profile

that depends on various things, could be a certain field in the certificate, the hostname, the AD user group or mac address. I would still need to "manually" assign the VLAN name/id but this way I could get by with a single enforcement profile and not have so much clutter...

using many enforcement profiles would work but doing it with a variable that gets assigned during the process is much cooler with a single enforcement profile

Highlighted
Occasional Contributor II

Re: Dynamic VLAN assignment with a single enforcement profile

@cjoseph is there a way to do this or do I have to stay with one enforcement profile per VLAN?

thanks

Highlighted
Guru Elite

Re: Dynamic VLAN assignment with a single enforcement profile

I would need a detailed example to answer that.  The regular if/then for roles and enforcement policies allows you to assign a VLAN.  If you combine that with the namespaces in the link that I sent before, you can set VLANs based on the switch/device that the user is connected to.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Video Knowledge Base
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide
Highlighted
Occasional Contributor II

Re: Dynamic VLAN assignment with a single enforcement profile

Example (location/switch independent!):

 

Laptop1 with company computer certificate XYZ connects and needs to go into VLAN 100.

Laptop2 with company computer certificate XYZ and hostname starting with ABC needs to go into VLAN101

Laptop3 with company computer certificate ZZZ connects and needs to go into VLAN102

Laptop4 without certificate but in local MAB database connects and needs to go into VLAN99

etc.

now is this possible with a single enforcement profile by assigning some kind of variable during the process that the enforcement profile can use?

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: