Wired Intelligent Edge

Hi, I have a test lab in which I have to assign a different VLAN ID to each of the departments (25) and I want 5 levels of Role (ACL), my plan is to do it with Enforcement Downloadable Profile to send them the ACL's and another to send the Vlan ID (for the Enforcement Vlan Template), but if I do it that way it does not work, I can not pass the Switch Aruba 2930M (V. 16.04.008) the Vlan ID for an Enforcement, it only manages to take it if I include it in the ACL, but my idea is to send in an Enforcement the ACL's and in the other the Vlan ID of each department; I have the Clearpass version V. 6.7.0.101814; use as Authentication Source and Authorization to my Active Directory Server; I do not know if I'm missing something in the switch because I can not pass the Vlan ID in any way for an Enforcement, I have thought if I need to update my software version in the Switch's but if the DUR Profile works but the Vlan does not. I add some images of my configuration, hopefully they can support me with a clue or signal where the problem is going.

Thank you.

Did you follow the ClearPass Solution Guide for Wired Policy Enforcement?

Yes, but I can not send anything else the VLAN ID, the port does not assinate that Vlan automatically, in fact it works for me by putting it in the Downlodable Enforcement Profile, but I want to do it in another Enforcement. Thanks for answering

Did you use a standard VLAN enforcement? Also, if you’re using user roles, the VLAN is part of the user role.

Yes, I have tried to pass the VLAN for a Standard Enforcement without ACL's using the Enforcement Vlan template but the Switch does not take the VLan ID that the Clearpass sends, in fact without entering the ACL's.
Thank you.

I would look at the switch RADIUS debug to see what’s going on.

Annex .txt with information that I extracted at the time of connecting a user on port 1/4 of NAD 172.16.100.17 with Clearpass IP 172.16.101.7, or what other command could I use to get more accurate? Thank you very much for responding.

OK, so because you have user-roles enabled, you can’t use a VLAN in the RADIUS response. The VLAN assignment is handled in the role (local or downloaded).

Very well understand, in my scenario I want to have 25 Vlans for the 25 departments and the tax department I grab it from the Active Directory and my idea was to compare the department and based on it send it s Vlan ID and in the Rol Mapping pass the identifier of Your level of privilege (5 levels / ACL's) based on your Active Directory OU and I had planned to do it as I thought but apparently I would have to do 25x5 = 125 Enforcement Downloadables Profile, but I understand that the Switch only supports 32. Any suggestion to improve the implementation of my laboratory? Or is it feasible to do it the way I think? Thank you very much for responding and your time.

Do you envision more than 32 unique roles on a switch at any given time? You can have as many defined in ClearPass as you want. The switch capacity is about how many are active on the switch at any given time.

If you have 5 privilege levels, why are there 25 VLANs?

The 25 departments are each area of the company and each Role is the level of privilege or access to certain subnets or IP addresses, that is why in the same department there can be several levels of Role (Privileges), therefore the permutation of 5x25, I understand that it is very rare that many will be simultaneously, that is why I wanted to make the comparison between department and Vlan ID; I have no problem doing the work of the 125 Enforcement Downloadables already with the Vlan included, but this would make the 5 levels of privileges (network access ACLs) apply repeatedly since only 5 applications are needed. Thank you very much for answering.

I’d recommend you reach out to your Aruba or partner team to have a design session. There may be some ways to simplify this, but it’s difficult in a forum setting.

Okay, if I'm seeing them because I think it's not the best option to send the ACL's for an Enforcement and for another to send the Vlan ID based on the "department" of AD, I think the best option will be to design each Role be a Vlan ID. Thank you very much for answering.