Security

last person joined: 18 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

VLAN assignment based on AD

This thread has been viewed 1 times

  • 1.  VLAN assignment based on AD

    Posted Oct 14, 2015 09:42 PM

    Hi,

     

    recently moved to Aruba (previously with Cisco/Meraki/Extreme)... anyway.

     

    This is the goal i am trying to achieve:

    - I am with my laptop and i see a Guest SSID

    - i connect to the Guest SSID which is open and redirects me to a captive portal

    - Captive Portal is configured to authenticate me towards my AD that acts as Radius (NPS)

    - Captive portal authenticates me and i got assigned in another VLAN as configured, on another subnet

     

    Now all this is OK. there is only one problem. Once i am in the guest-ssid i got an ip that allows me to get to the captive portal right? Then i authenticate and something on the network happens to the point that my packets then gets tagged. Obvisouly the new vlan MUST BE on another subnet. I dont believe that my laptop is aware of the change, as from its prospective, it still connected to the same SSID-Guest, so IT IS NOT GOING TO request another address from the DHCP server. As result, i authenticate and then i have no network connection. Obviously i cannot access my guests (there are plenty...) to refresh the ip...

     

     

    Can you clarify?

    thanks

    localhost



  • 2.  RE: VLAN assignment based on AD
    Best Answer

    EMPLOYEE
    Posted Oct 14, 2015 09:45 PM
    VLAN changes for a L3 authentication are not reliable. 

    Why not use 802.1X if you already have a RADIUS server configured? 


    Thanks, 
    Tim


  • 3.  RE: VLAN assignment based on AD

    Posted Oct 14, 2015 10:31 PM

    thanks for the quick answer.

     

    So basically you are saying that the SSID authentication will be based on 802.1x so this way i get access to the network and placed in the right vlan after authentication, that should fix the dhcp issue...

     

    So:

     

    - I have an SSID which has 802.1x base authentication

    - I bring my laptop, connect to the SSID that immediately will request user/pass

    - user pass sits in AD. Based on AD group membership, the NPS give an attribute to the requesting AP to place that particoular endpoint to a particoular VLAN.

    - I gain access to that VLAN and acquire an ip via dhcp in that vlan.

     

    Would this work?

     

    Is a kb article you know of that explains the process? i think it is a fairly common request.

     

    thanks



  • 4.  RE: VLAN assignment based on AD

    EMPLOYEE
    Posted Oct 14, 2015 10:34 PM
    Yes, that's how most networks are designed. Search for NPS tutorial on here. 


    Thanks, 
    Tim


  • 5.  RE: VLAN assignment based on AD

    Posted Oct 14, 2015 10:52 PM

    thanks heaps i will give it a shot.