Security

last person joined: 10 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Guest wireless with CoA to put user in different VLAN

This thread has been viewed 36 times

  • 1.  Guest wireless with CoA to put user in different VLAN

    Posted Feb 15, 2019 08:12 AM

    Currently I have a setup where a user can register through the CPPM Captive portal, once completed they are connected to our production network.  the Aruba IAPs are able to identify the role these users were given and ACLs on the IAPs bock them for accessing any RFC1918 addresses allowing them only access to the internet.  A requirement has developed that will now require me to put these guest users into their own vlan entirely.  Is there a document out there that details how I get this done.  I imagine is a CoA changing the VLAN the user is in, I just have not clue where to beging. 



  • 2.  RE: Guest wireless with CoA to put user in different VLAN
    Best Answer

    EMPLOYEE
    Posted Feb 15, 2019 08:34 AM

    Radius CoA is used to change the role/VLAN/disconnect user who are connected to the network already. If your requirment is to place the new Guest uers in their own VLAN , we can send request in enforcment profile.

     

     



  • 3.  RE: Guest wireless with CoA to put user in different VLAN

    Posted Feb 15, 2019 08:37 AM

    Oh that's good to konw. Are their any guides that might detail how to do that?



  • 4.  RE: Guest wireless with CoA to put user in different VLAN

    EMPLOYEE
    Posted Feb 15, 2019 08:45 AM

    Link provide all CPPM-Tech note guides.

     

    https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/EntryId/7961/Default.aspx

     

    Check for Guest Technote guide from the list of available CPPM-Tech guides



  • 5.  RE: Guest wireless with CoA to put user in different VLAN

    EMPLOYEE
    Posted Feb 15, 2019 11:30 AM
    If you’re changing VLANs, you need to use a Disconnect, not a CoA.


  • 6.  RE: Guest wireless with CoA to put user in different VLAN

    Posted Feb 15, 2019 11:34 AM

    I noticed in the IAP when configuring the Guest Wireless SSID I can configure a VLAN to pass.  Couldn't I just do that since only guest users would be connecting to that?



  • 7.  RE: Guest wireless with CoA to put user in different VLAN

    Posted Aug 07, 2021 06:16 PM
    I needed to change vlan to guest too, but I couldn't with Disconnect, COA termination session and bounce port. In fact for mobile device it worked, but not for Windows. I found an alternative.
    In the MC/MD controller environment I created a bogus vlan and this vlan does not have DHCP or IP on the interface. I left her on Guest's ssid service. I created rules of "User Rules" is in:
    Configuration > Authentication > User Rules
    after this,
    Configuration > Authentication > AAA Profiles > profile of your guest > "User derivation rules:"

    the rule is to change vlan, in my case it's based on "location" = AP name.
    This vlan delivered by the rule "user rules" it has IP on the interface and DHCP for the user for the page guest to happen.

    With that we have the change of vlan before authentication and the user is already in it until the end.

    ------------------------------
    Herbert Ferreira
    ------------------------------

    Original Message