Wired Intelligent Edge (Campus Switching and Routing)

Reply
Highlighted
Occasional Contributor I

Clearpass VLAN assignment on Aruba Switch

Hi!

 

I'm using a Aruba 2930F switch to setup Wired policies with Clearpass. I just want to assign VLAN's for now based on TIPS roles, and followed the Wired Policy Enforcement guide for this. Is it necessary to work with the downloadable user roles for this? Because I do have some issues, Clearpass perfectly authorizes 802.1X requests and enforces policy, but no VLAN is assigned to the client. More, I don't get an IP address. I configured onto this port my management VLAN as untagged, and my uplink as tagged. Followed also the necessary commands for aaa authentication which seems to work as Clearpass detects it. But really don't know exactly what the exact configuration must be for ports vlan's or what i'm missing because it's nowhere clearly explained.

Anyone who has some advice on this?

Thanks!

 

Highlighted

Re: Clearpass VLAN assignment on Aruba Switch

Try returning these values from ClearPass:

 

Radius:IETF	Tunnel-Type	=	VLAN (13)
Radius:IETF	Tunnel-Medium-Type	=	IEEE-802 (6)
Radius:IETF	Tunnel-Private-Group-Id	=	vlanname

You can either use name or VLAN ID in that same return value

Highlighted
Occasional Contributor I

Re: Clearpass VLAN assignment on Aruba Switch

Thanks for your reply! That stays the same with these settings (screenshot_2), my wired device is connected to port 2 on the switch, maybe it helps with my configuration? It's test environment, so no confidential things are in it :)..

 

Clearpass is in the management VLAN, connected to port 7.

Thanks!

Highlighted

Re: Clearpass VLAN assignment on Aruba Switch

Did you try with both vlan name and ID? I think I had the same setup and it worked OK for me. What does access tracker look like, does it return those values?

Highlighted
MVP Expert
MVP Expert

Re: Clearpass VLAN assignment on Aruba Switch

Check the output tab in Access Tracker.

 

See attachment the enforcement profile to enforce an untagged vlan to an aruba switch. Use the VLAN ID instead of the vlan name.

 

In the switch CLI you can give this commando to check if the vlan is enforced, for example:

aaa port-access authenticator ###interface detailed

 

 

Kind Regards Marcel Koedijk
HPE ASE Flexnetwork | ACMP | ACCP | Ekahau ECSE Design - Was this post usefull, Kudos are welcome.
Highlighted
Occasional Contributor I

Re: Clearpass VLAN assignment on Aruba Switch

Before, it showed up as ACCEPT in access tracker with the correct policy enforced. But now it doesn't show up anymore when I try to connect. Very strange.

Highlighted
Frequent Contributor II

Re: Clearpass VLAN assignment on Aruba Switch

wanted to use  vlan enforecement as well

Radius:IETF	Tunnel-Type	=	VLAN (13)
Radius:IETF	Tunnel-Medium-Type	=	IEEE-802 (6)
Radius:IETF	Tunnel-Private-Group-Id	=	vlanname

 is there a way to specific that this 'vlanname' is a tagged vlan ? 

similar thing for VLAN ID, is there a way to specify that vlan ID is tagged

Highlighted
MVP Expert
MVP Expert

Re: Clearpass VLAN assignment on Aruba Switch

Sure,

 

One way is descripted in this post.

 

https://community.arubanetworks.com/t5/Security/Assign-Tagged-VLAN-via-Radius-attribute-using-quot-HP-Egress/td-p/260167

Kind Regards Marcel Koedijk
HPE ASE Flexnetwork | ACMP | ACCP | Ekahau ECSE Design - Was this post usefull, Kudos are welcome.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: