Security

We are using Vlans to segment the network and ClearPass attribute “Aruba-User-Vlan” would steer users to their Vlans acording to their department.   The problem is when users roam out of their layer-3 boundary, the Vlans that they belong to are not there so they get 169 IP address.

Questions: Can ClearPass or controller move users to default Vlan that defines in virtual-AP profile if their assigned Vlans are not available?  Or do you have any other suggestions for roamed users?

Best Regards,

When you say "out of their layer 3 boundary" do you mean to a different WLAN controller?  If that is the case, you should use a VLAN name that is defined locally on each controller and send that VLAN name attribute from CPPM, instead of a VLAN number.

Yes, users roam to different local controller where their Vlans are not available.

I've never used VLAN name, so pardon my unawarness.  When a VLAN name defines at local controller, how does it put users to their resources? tunel back to master controller?

The short answer is that you define a VLAN name.  You assign that VLAN name to a Virtual AP instead of a VLAN number.  On each controller (master and local), you define what vlan number that name maps to.  In CPPM, you just return the VLAN name attribute with the VLAN name.  The local controller will put the user in the VLAN number associated to the name returned from CPPM.

An article on VLAN names is here:  http://community.arubanetworks.com/t5/Controller-Based-WLANs/What-is-a-named-VLAN-and-how-do-I-configure-it/ta-p/181562