Wired Intelligent Edge (Campus Switching and Routing)

Reply
Highlighted
Contributor II

Aruba Wired 802.1X with Clearpass and Vlan dynamic assignment

Hi, I have a test lab in which I have to assign a different VLAN ID to each of the departments (25) and I want 5 levels of Role (ACL), my plan is to do it with Enforcement Downloadable Profile to send them the ACL's and another to send the Vlan ID (for the Enforcement Vlan Template), but if I do it that way it does not work, I can not pass the Switch Aruba 2930M (V. 16.04.008) the Vlan ID for an Enforcement, it only manages to take it if I include it in the ACL, but my idea is to send in an Enforcement the ACL's and in the other the Vlan ID of each department; I have the Clearpass version V. 6.7.0.101814; use as Authentication Source and Authorization to my Active Directory Server; I do not know if I'm missing something in the switch because I can not pass the Vlan ID in any way for an Enforcement, I have thought if I need to update my software version in the Switch's but if the DUR Profile works but the Vlan does not. I add some images of my configuration, hopefully they can support me with a clue or signal where the problem is going.

Thank you.


Accepted Solutions
Highlighted
Moderator

Re: Aruba Wired 802.1X with Clearpass and Vlan dynamic assignment

OK, so because you have user-roles enabled, you can’t use a VLAN in the RADIUS response. The VLAN assignment is handled in the role (local or downloaded).


If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

View solution in original post


All Replies
Highlighted
Moderator

Re: Aruba Wired 802.1X with Clearpass and Vlan dynamic assignment

Did you follow the ClearPass Solution Guide for Wired Policy Enforcement?


If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

Highlighted
Contributor II

Re: Aruba Wired 802.1X with Clearpass and Vlan dynamic assignment

Yes, but I can not send anything else the VLAN ID, the port does not assinate that Vlan automatically, in fact it works for me by putting it in the Downlodable Enforcement Profile, but I want to do it in another Enforcement. Thanks for answering

Highlighted
Moderator

Re: Aruba Wired 802.1X with Clearpass and Vlan dynamic assignment

Did you use a standard VLAN enforcement? Also, if you’re using user roles, the VLAN is part of the user role.


If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

Highlighted
Contributor II

Re: Aruba Wired 802.1X with Clearpass and Vlan dynamic assignment

Yes, I have tried to pass the VLAN for a Standard Enforcement without ACL's using the Enforcement Vlan template but the Switch does not take the VLan ID that the Clearpass sends, in fact without entering the ACL's.
Thank you.

Highlighted
Moderator

Re: Aruba Wired 802.1X with Clearpass and Vlan dynamic assignment

I would look at the switch RADIUS debug to see what’s going on.


If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

Highlighted
Contributor II

Re: Aruba Wired 802.1X with Clearpass and Vlan dynamic assignment

Annex .txt with information that I extracted at the time of connecting a user on port 1/4 of NAD 172.16.100.17 with Clearpass IP 172.16.101.7, or what other command could I use to get more accurate? Thank you very much for responding.

Highlighted
Moderator

Re: Aruba Wired 802.1X with Clearpass and Vlan dynamic assignment

OK, so because you have user-roles enabled, you can’t use a VLAN in the RADIUS response. The VLAN assignment is handled in the role (local or downloaded).


If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

View solution in original post

Highlighted
Contributor II

Re: Aruba Wired 802.1X with Clearpass and Vlan dynamic assignment

Very well understand, in my scenario I want to have 25 Vlans for the 25 departments and the tax department I grab it from the Active Directory and my idea was to compare the department and based on it send it s Vlan ID and in the Rol Mapping pass the identifier of Your level of privilege (5 levels / ACL's) based on your Active Directory OU and I had planned to do it as I thought but apparently I would have to do 25x5 = 125 Enforcement Downloadables Profile, but I understand that the Switch only supports 32. Any suggestion to improve the implementation of my laboratory? Or is it feasible to do it the way I think? Thank you very much for responding and your time.

Highlighted
Moderator

Re: Aruba Wired 802.1X with Clearpass and Vlan dynamic assignment

Do you envision more than 32 unique roles on a switch at any given time? You can have as many defined in ClearPass as you want. The switch capacity is about how many are active on the switch at any given time.

If you have 5 privilege levels, why are there 25 VLANs?


If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: