Wired Intelligent Edge

last person joined: yesterday 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Back to discussions
Expand all | Collapse all

Clearpass VLAN assignment on Aruba Switch

This thread has been viewed 40 times

  • 1.  Clearpass VLAN assignment on Aruba Switch

    Posted Nov 22, 2019 06:43 AM
      |   view attached

    Hi!

     

    I'm using a Aruba 2930F switch to setup Wired policies with Clearpass. I just want to assign VLAN's for now based on TIPS roles, and followed the Wired Policy Enforcement guide for this. Is it necessary to work with the downloadable user roles for this? Because I do have some issues, Clearpass perfectly authorizes 802.1X requests and enforces policy, but no VLAN is assigned to the client. More, I don't get an IP address. I configured onto this port my management VLAN as untagged, and my uplink as tagged. Followed also the necessary commands for aaa authentication which seems to work as Clearpass detects it. But really don't know exactly what the exact configuration must be for ports vlan's or what i'm missing because it's nowhere clearly explained.

    Anyone who has some advice on this?

    Thanks!

     



  • 2.  RE: Clearpass VLAN assignment on Aruba Switch

    Posted Nov 22, 2019 06:45 AM

    Try returning these values from ClearPass:

     

    Radius:IETF	Tunnel-Type	=	VLAN (13)
Radius:IETF	Tunnel-Medium-Type	=	IEEE-802 (6)
Radius:IETF	Tunnel-Private-Group-Id	=	vlanname

    You can either use name or VLAN ID in that same return value



  • 3.  RE: Clearpass VLAN assignment on Aruba Switch

    Posted Nov 22, 2019 06:55 AM

    Thanks for your reply! That stays the same with these settings (screenshot_2), my wired device is connected to port 2 on the switch, maybe it helps with my configuration? It's test environment, so no confidential things are in it :)..

     

    Clearpass is in the management VLAN, connected to port 7.

    Thanks!

    Attachment(s)

    txt
    SwitchConfig.txt   1 KB 1 version


  • 4.  RE: Clearpass VLAN assignment on Aruba Switch

    Posted Nov 22, 2019 10:12 AM

    Did you try with both vlan name and ID? I think I had the same setup and it worked OK for me. What does access tracker look like, does it return those values?



  • 5.  RE: Clearpass VLAN assignment on Aruba Switch

    MVP EXPERT
    Posted Nov 22, 2019 02:58 PM
      |   view attached

    Check the output tab in Access Tracker.

     

    See attachment the enforcement profile to enforce an untagged vlan to an aruba switch. Use the VLAN ID instead of the vlan name.

     

    In the switch CLI you can give this commando to check if the vlan is enforced, for example:

    aaa port-access authenticator ###interface detailed

     

     



  • 6.  RE: Clearpass VLAN assignment on Aruba Switch

    Posted Nov 25, 2019 09:11 AM

    Before, it showed up as ACCEPT in access tracker with the correct policy enforced. But now it doesn't show up anymore when I try to connect. Very strange.



  • 7.  RE: Clearpass VLAN assignment on Aruba Switch

    Posted May 22, 2020 12:54 PM

    wanted to use  vlan enforecement as well

    Radius:IETF	Tunnel-Type	=	VLAN (13)
Radius:IETF	Tunnel-Medium-Type	=	IEEE-802 (6)
Radius:IETF	Tunnel-Private-Group-Id	=	vlanname

     is there a way to specific that this 'vlanname' is a tagged vlan ? 

    similar thing for VLAN ID, is there a way to specify that vlan ID is tagged



  • 8.  RE: Clearpass VLAN assignment on Aruba Switch

    MVP EXPERT
    Posted May 22, 2020 05:46 PM

    Sure,

     

    One way is descripted in this post.

     

    https://community.arubanetworks.com/t5/Security/Assign-Tagged-VLAN-via-Radius-attribute-using-quot-HP-Egress/td-p/260167