Wired Intelligent Edge (Campus Switching and Routing)

Reply
Highlighted
Contributor I

Multiple Tagged VLANs in User Role

Hello team,

 

Wondering if we have any idea when multiple tagged VLANs will be supported in User-Roles? Running into issues when customers want colorless but run IAPs.


Accepted Solutions
Highlighted
Moderator

Re: Multiple Tagged VLANs in User Role

It is supported in 16.08 which is posted now.


If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

View solution in original post


All Replies
Highlighted
Moderator

Re: Multiple Tagged VLANs in User Role

It is supported in 16.08 which is posted now.


If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

View solution in original post

Highlighted

Re: Multiple Tagged VLANs in User Role

Hmm I cant seem to get that to work?

When I fill multiple vlans in the tagged part of clearpass, it gived me an error in the interface telling me that VLAN id must be a number from 1-4096.

I tried

100,200,300

100, 200, 300

100 200 300

100;200;300

What am I missing?

Highlighted
MVP

Re: Multiple Tagged VLANs in User Role

You also need to upgrade Clearpass to 6.7.8


Regards
John Solberg

-ACMX #316 :: ACCX #902 :: ACSA
Aruba Partner Ambassador
Intelecom/NetNordic - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Highlighted

Re: Multiple Tagged VLANs in User Role

Ok, I got this to work. When creating the Enforcement Profile you have to select Advanced mode, and then type the values yourself as the standard profile will not let you assign multible tagged vlans.

 

Example:

aaa authorization user-role name "cppmrole_854e322fd0434c4"
vlan-id 1
vlan-id-tagged 100,200,300
reauth-period 600
exit

 

I created a stadard profile first and copied the contents as the basis for the advanced profile.

Highlighted
Contributor I

Re: Multiple Tagged VLANs in User Role

I see that it works when you use VLAN ID's, but if using multiple names longer than 32 characters it does not work, e.g:

 

vlan-name-tagged xxx-corporate,xxx-guest,xxx-mobile

 

It comes back with the error:

Invalid vlan-name length

 

Using vlan-name-tagged xxx-corporate,xxx-guest,xxx-mobi works, but obvisouly the last vlan does not match

 

This is on 16.09.0003 on a 2930M

---------------------------
ACCP, ACMA, ACMP, ACDX
Highlighted
MVP Guru Elite

Re: Multiple Tagged VLANs in User Role

Need to ask to TAC...



PowerArubaSW: Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP... More info

PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...) More info

PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)

PowerArubaIAP: Powershell Module to use Aruba Instant AP

PowerArubaMC: Powershell Module to use Mobility Controller / Master


ACMP 6.4 / ACMX #107 / ACCP 6.5 / ACSP
Highlighted
MVP

Re: Multiple Tagged VLANs in User Role

Did you ever get this checked out with support?

I was implementing this yesterday and had to fall back to vlan-id-tagged because I could not get vlan-name-tagged working with more than 1 vlan.

 

My experiences with 2930F (WC.16.10.0002) and Clearpass (6.8.4) were even worse than your 32 char limit.

 

I tried setting this through standard and advanced. Both seemed to take it without problems. A 'show user-role download detail' also showed both vlan-named-tagged.

The switch itself didn't throw any error regarding this role either.


But still my clients ended up in the default denyall role.

 

I tried:

FAILS:

 

vlan-name MGMT
vlan-name-tagged CORPORATE-WIFI,GUEST-WIFI

 

 

FAILS (gives only the last vlan):

 

vlan-name MGMT
vlan-name-tagged CORPORATE-WIFI
vlan-name-tagged GUEST-WIFI

 

 

WORKS (a single vlan):

vlan-name MGMT
vlan-name-tagged GUEST-WIFI

 

Luckily using the same with vlan-id's did work:

vlan-id 999
vlan-id-tagged 200,210

 

 

 

 


Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found a post helpful or important? Click the "Thumbs Up" icon to give kudos.
-- Problem Solved? Click "Accept as Solution" in a post.
Highlighted
MVP Guru Elite

Re: Multiple Tagged VLANs in User Role

Hi Koen,

 

Multiple vlan tagged name is not supported



PowerArubaSW: Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP... More info

PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...) More info

PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)

PowerArubaIAP: Powershell Module to use Aruba Instant AP

PowerArubaMC: Powershell Module to use Mobility Controller / Master


ACMP 6.4 / ACMX #107 / ACCP 6.5 / ACSP
Highlighted
Contributor I

Re: Multiple Tagged VLANs in User Role

Multiple tagged does work, you just need to ensure it is less than 32 characters, which meant i had to rename all my VLAN's.

 

In the end i ended up just statically coinfiguring them vs pushing from ClearPass.

---------------------------
ACCP, ACMA, ACMP, ACDX
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: