Wireless Access

Reply
Highlighted
Frequent Contributor I

AOS 8.5 and CPPM Downloadable user Roles -- VLAN Not applying

Hello All,

Having an issue with downloadable user roles and the VLAN not being applied.

In Clearpass I created a downloadable user role for a mobility controller, created the ACLs, and am trying to assign a specific VLAN-Pool. It seems everything takes, except for the VLAN.

After the user authenticates, I can tell the user-role was successfully downloaded by doing a show user mac <mac>, and a show rights downloaded-user-roles, they both show up there with the correct information.

Even if I do a show rights <downloaded user-role name> it shows the correct VLAN there. The issue is that if I do a shower user <mac> I see this

VLAN Derivation: Default VLAN


Then the user gets the VLAN assigned to the VAP, which is not what I want

I've tried changing the VLAN information in the DUR to a single VLAN-ID, and that doesn't work either. Is there some trick to getting the VLAN part to work? (CPPM 6.8.4 and AOS 8.5.0.4)

Thanks,

Chris Wickline | Network Engineer | York College of Pennsylvania

Accepted Solutions
Highlighted
MVP Guru

Re: AOS 8.5 and CPPM Downloadable user Roles -- VLAN Not applying

As far as I know for controllers the VLAN assignment through the role is deprecated as it doesn't work under all circumstances. Can you try (suggested by the previous answerd) return the Role and VLAN in separate attributes? For VLAN you can use the Aruba-User-VLAN attribute or the standard VLAN enforcement with IETF attributes. I personally prefer the Aruba-User-VLAN attribute as it is a single line and better describes what it does.

 

To avoid confusion, with ArubaOS Switches in role based the VLAN has to be in the role definition as the switch will reject a role and VLAN sent in separate attributes.

 

ArubaOS (controller/IAP): Send Aruba-User-Role (or the downloadable equivalent) and Aruba-User-VLAN in separate attributes.

ArubaOS Switch: Send just a user-role (or DUR) which includes the VLAN.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).

View solution in original post


All Replies
Highlighted
Frequent Contributor I

Re: AOS 8.5 and CPPM Downloadable user Roles -- VLAN Not applying

You can always send back a VLAN assignment as a separate enforcement profile. I believe it is in the IETF RADIUS dictionary.

Highlighted
MVP Guru

Re: AOS 8.5 and CPPM Downloadable user Roles -- VLAN Not applying

As far as I know for controllers the VLAN assignment through the role is deprecated as it doesn't work under all circumstances. Can you try (suggested by the previous answerd) return the Role and VLAN in separate attributes? For VLAN you can use the Aruba-User-VLAN attribute or the standard VLAN enforcement with IETF attributes. I personally prefer the Aruba-User-VLAN attribute as it is a single line and better describes what it does.

 

To avoid confusion, with ArubaOS Switches in role based the VLAN has to be in the role definition as the switch will reject a role and VLAN sent in separate attributes.

 

ArubaOS (controller/IAP): Send Aruba-User-Role (or the downloadable equivalent) and Aruba-User-VLAN in separate attributes.

ArubaOS Switch: Send just a user-role (or DUR) which includes the VLAN.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).

View solution in original post

Highlighted
Frequent Contributor I

Re: AOS 8.5 and CPPM Downloadable user Roles -- VLAN Not applying

Thanks Herman,

I am able to return the vlan via the user-vlan attribute and that works as expected.

I was attempting to use the standard mode of configuration, that way if I needed to update an ACL, it would update all the profiles that referenced that ACL. So I'd have to create additional enforcement profiles to send that attribute, which works, but isn't as clean as I would have liked.

Again thank you both for your insight, I can stop banging my head against the wall now


Chris Wickline | Network Engineer | York College of Pennsylvania
Highlighted
Frequent Contributor I

Re: AOS 8.5 and CPPM Downloadable user Roles -- VLAN Not applying

Keep in mind that "Aruba-User-Vlan" only takes integer values for the VLAN number. If you want to use a named VLAN, use "Aruba-Named-User-Vlan". The IETF VLAN enforcement will accept either number or name.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: