Security

We have Clearpass Guest and am trying to force clerapass to change the VLAN once the User is Authenticated (same SSID).  I can see that in the Output the New VLAN ID is passed back but doesn't seem to make a difference and the IP address is not changed.

Is this possible?  Ifo so, what am I doing wrong?

Hey,

I could be wrong about this, but I don't think the change of VLAN's will work without a client first diconnecting then reconnecting.

For our Onboard we are using two different SSID's and we are able to move users between VLAN's (from provisioning VLAN to BYOD VLAN) without an issue. But in this situation the client gets disconnected then is reconnected.

Is there any specific reason you don't want to leave your Guests in the same VLAN?

You can leave them in the same VLAN but just have two different roles, an unauthorized role and an authorized role.

You would need to add an enforcement policy with a RADIUS Change of Authorization which will disconnect them allowing them to reconnect in the new VLAN assigned in the policy.

does CoA work with software version below 16.02 on an Aruba 5402zl2? if not, what alternative do i have , roles?

thanks

802.1x wired with an HPE 5402ZL2, dynamic vlan assigment based on user group in AD.

802.1x works, it gets the right policy based on user, but when the profile tries to assign the vlan nothing happens, the user sits on the vlan currently assigned on the switch.

I am trying to figure out how to dynamically assign vlan from Clearpass.

thanks