Wired Intelligent Edge

last person joined: 2 days ago 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Back to discussions
Expand all | Collapse all

Multiple Tagged VLANs in User Role

This thread has been viewed 11 times

  • 1.  Multiple Tagged VLANs in User Role

    Posted Dec 07, 2018 05:27 PM

    Hello team,

     

    Wondering if we have any idea when multiple tagged VLANs will be supported in User-Roles? Running into issues when customers want colorless but run IAPs.



  • 2.  RE: Multiple Tagged VLANs in User Role
    Best Answer

    EMPLOYEE
    Posted Dec 07, 2018 05:33 PM
    It is supported in 16.08 which is posted now.


  • 3.  RE: Multiple Tagged VLANs in User Role

    Posted Mar 13, 2019 12:40 PM

    Hmm I cant seem to get that to work?

    When I fill multiple vlans in the tagged part of clearpass, it gived me an error in the interface telling me that VLAN id must be a number from 1-4096.

    I tried

    100,200,300

    100, 200, 300

    100 200 300

    100;200;300

    What am I missing?



  • 4.  RE: Multiple Tagged VLANs in User Role

    Posted Mar 13, 2019 01:52 PM

    You also need to upgrade Clearpass to 6.7.8



  • 5.  RE: Multiple Tagged VLANs in User Role

    Posted Mar 14, 2019 09:17 AM

    Ok, I got this to work. When creating the Enforcement Profile you have to select Advanced mode, and then type the values yourself as the standard profile will not let you assign multible tagged vlans.

     

    Example:

    aaa authorization user-role name "cppmrole_854e322fd0434c4"
    vlan-id 1
    vlan-id-tagged 100,200,300
    reauth-period 600
    exit

     

    I created a stadard profile first and copied the contents as the basis for the advanced profile.



  • 6.  RE: Multiple Tagged VLANs in User Role

    Posted Aug 28, 2019 08:31 PM

    I see that it works when you use VLAN ID's, but if using multiple names longer than 32 characters it does not work, e.g:

     

    vlan-name-tagged xxx-corporate,xxx-guest,xxx-mobile

     

    It comes back with the error:

    Invalid vlan-name length

     

    Using vlan-name-tagged xxx-corporate,xxx-guest,xxx-mobi works, but obvisouly the last vlan does not match

     

    This is on 16.09.0003 on a 2930M



  • 7.  RE: Multiple Tagged VLANs in User Role

    MVP GURU
    Posted Sep 15, 2019 04:57 AM

    Need to ask to TAC...



  • 8.  RE: Multiple Tagged VLANs in User Role

    MVP
    Posted Feb 21, 2020 02:28 AM

    Did you ever get this checked out with support?

    I was implementing this yesterday and had to fall back to vlan-id-tagged because I could not get vlan-name-tagged working with more than 1 vlan.

     

    My experiences with 2930F (WC.16.10.0002) and Clearpass (6.8.4) were even worse than your 32 char limit.

     

    I tried setting this through standard and advanced. Both seemed to take it without problems. A 'show user-role download detail' also showed both vlan-named-tagged.

    The switch itself didn't throw any error regarding this role either.


    But still my clients ended up in the default denyall role.

     

    I tried:

    FAILS:

     

    vlan-name MGMT
vlan-name-tagged CORPORATE-WIFI,GUEST-WIFI

     

     

    FAILS (gives only the last vlan):

     

    vlan-name MGMT
vlan-name-tagged CORPORATE-WIFI
vlan-name-tagged GUEST-WIFI

     

     

    WORKS (a single vlan):

    vlan-name MGMT
vlan-name-tagged GUEST-WIFI

     

    Luckily using the same with vlan-id's did work:

    vlan-id 999
vlan-id-tagged 200,210

     

     

     

     



  • 9.  RE: Multiple Tagged VLANs in User Role

    MVP GURU
    Posted Feb 21, 2020 03:57 AM

    Hi Koen,

     

    Multiple vlan tagged name is not supported



  • 10.  RE: Multiple Tagged VLANs in User Role

    Posted Feb 23, 2020 06:17 PM

    Multiple tagged does work, you just need to ensure it is less than 32 characters, which meant i had to rename all my VLAN's.

     

    In the end i ended up just statically coinfiguring them vs pushing from ClearPass.