Security

last person joined: 12 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Radius assigned VLAN on AP-93H wired ports

This thread has been viewed 0 times

  • 1.  Radius assigned VLAN on AP-93H wired ports

    Posted Jul 11, 2012 05:07 PM

    Wondering if this is even possible.  I have radius assign the user to a vlan based on username for our WLAN profile. 

     

    I'm looking to do something similar with the wired ports that are user accessible on the AP-93H by having the controller pass the MAC address of the computer plugged into the port to the radius server for MAC based authentication and VLAN assignement.

     

    I have MAC based authentication in use on all of our Procurve switches using RFC 3580 so I'm looking to do something similar in order to keep our current network registration system working as it is.



  • 2.  RE: Radius assigned VLAN on AP-93H wired ports

    EMPLOYEE
    Posted Jul 12, 2012 06:14 AM

    You can do this with a Server Derivation Rule in the Server Group that is authenticating that wired VLAN:  The rule looks for the username Robert and sets the client to VLAN 10, as a result.

     

    I hope this helps.

     

    userrule.png



  • 3.  RE: Radius assigned VLAN on AP-93H wired ports

    Posted Jul 12, 2012 08:47 AM

    That is essentially what I have and my radius server shows that its getting authentication attempts now.  Does it matter what settings I have on this screen?  I'm mostly wondering if it needs to be access mode or trunk mode? Tunnel or Bridge?  or does that matter.

     



  • 4.  RE: Radius assigned VLAN on AP-93H wired ports

    EMPLOYEE
    Posted Jul 12, 2012 08:49 AM

    Where are those VLANs located?  Are they trunked to your controller?...if Yes, it should be tunneled...

     



  • 5.  RE: Radius assigned VLAN on AP-93H wired ports

    Posted Jul 12, 2012 08:50 AM

    The vlans are trunked at the controller as well as at the access point.  I don't tunnel the wireless traffic it all gets bridged.



  • 6.  RE: Radius assigned VLAN on AP-93H wired ports

    EMPLOYEE
    Posted Jul 12, 2012 10:31 AM

    Quite frankly, you should do one or the other.  The controller side is much easier.  If that is the case, the forwarding mode must be tunneled.  If you want to put it out the AP's ethernet, it should be bridged.

     



  • 7.  RE: Radius assigned VLAN on AP-93H wired ports

    Posted Jul 12, 2012 10:32 AM

    Figured it out.

    Under the Wired AP Profile -

    • The forward mode must be set to Tunnel
    • The switchport mode set to access
    • In the event that the radius server doesn't recognize the mac address I set the default access mode vlan to our registration vlan

     

    Under the Mac Authentication Server Group - only the server needs to be specified as the radius server is returning Tunnel-Private-Group-Id already and that overides any server rules you may have set it appears.

     

     

    New issue:  The controller is caching the MAC auth it looks like so after a user registers their computer with our network access system and reboots or unplugs their network cable and plugs back in the Aruba controller doesn't re-authenticate the computer.