Security

last person joined: 19 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Wired enforcement for Access point (tagged and untagged vlan)

This thread has been viewed 10 times

  • 1.  Wired enforcement for Access point (tagged and untagged vlan)

    Posted Feb 22, 2018 09:31 AM

    Hi all,

     

    I would like to enforce on my switch AOS 2930 the specific port config which will be used when I'll plug Aruba APs:

    Untagged vlan: Vlan for Access Points

    Tagged vlanS: all my users vlans (Corporate, Guest, etc.) 

    User trafic won't be tunneled to Wireless controler.

     

    How can I do that?

    Shall I configure Aruba User-role? In that case, I don't see how, in a specific role I would configure several tagged vlans...

    OR

    Shall I use classic vlan enforcement in that scenario?

     

    I guess it's the second method but I'll be sure of that

     

    Thanks for your help

    Fred

     



  • 2.  RE: Wired enforcement for Access point (tagged and untagged vlan)

    EMPLOYEE
    Posted Feb 22, 2018 09:52 AM
    Aruba campus APs should simply sit in a user subnet, just like any other client device. There is no need tag any VLANs.

    Take a look at the ClearPass Solution Guide for Wired Policy Enforcement for configuration examples.


  • 3.  RE: Wired enforcement for Access point (tagged and untagged vlan)

    Posted Feb 22, 2018 10:06 AM

    Hi Tim,

     

    your solution doesnt work for us.

     

    What we want to do:

    When an AP is plugged to our AOS 2930F switches, CPPM must enforce:

    - vlan AP untagged

    - vlan Corporate tagged

    - vlan Guest tagged

    - vlan Printer tagged

    - vlan blabla tagged

     

    Even if you place your AP in another vlan, I don't see how to enforce a tagged vlan via CPPM (an moreover, how to enforce several tagged vlan)

     

    I read wired guide and didn't find a solution too

     

    Thanks for your help

    Kind regards,

    Fred

     



  • 4.  RE: Wired enforcement for Access point (tagged and untagged vlan)

    EMPLOYEE
    Posted Feb 22, 2018 10:08 AM
    You said the APs are tunneling to a controller. There should be no tagged VLANs on a campus AP.


  • 5.  RE: Wired enforcement for Access point (tagged and untagged vlan)

    Posted Feb 22, 2018 10:10 AM

    No, 

    I said:  User trafic won't be tunneled to Wireless controler.

    It'll be locally switched. That's why I need tag

     

    Fred



  • 6.  RE: Wired enforcement for Access point (tagged and untagged vlan)

    EMPLOYEE
    Posted Feb 22, 2018 10:13 AM
    OK, sorry misread. You cannot use RADIUS assigned user roles then. You’d have to use device-profiles with LLDP to map the user role.


  • 7.  RE: Wired enforcement for Access point (tagged and untagged vlan)

    Posted Feb 22, 2018 10:17 AM

    OK,

    Do you have any doc or example of how to do this?

     

    That 'll be great

    Fred

     



  • 8.  RE: Wired enforcement for Access point (tagged and untagged vlan)

    EMPLOYEE
    Posted Feb 22, 2018 10:23 AM
    I don’t sorry. Probably a better question for the switching group.


  • 9.  RE: Wired enforcement for Access point (tagged and untagged vlan)

    EMPLOYEE
    Posted Apr 23, 2018 10:36 PM

    I used this guide:
    https://community.arubanetworks.com/t5/Wired-Networks/Returning-multiple-tagged-VLANS-and-untagged-VLAN-from-ClearPass/ta-p/413955

    Tested with CPPM 6.7.2 and 2930M on 16.05 and 2920 on 16.05

    I used MAC auth with profiling. The AP profile gets all the additional tagged VLANs



  • 10.  RE: Wired enforcement for Access point (tagged and untagged vlan)

    Posted Apr 24, 2018 01:00 AM

    Have you checked device profile?

    Please check below if it helps:

    http://h22208.www2.hpe.com/eginfolib/networking/docs/switches/RA/16-01/webhelp/content/ch10.html