Wireless Access

Reply
Contributor I

Aruba auth on packefence and change role/vlan

Hi all. 

I´m evaluating packefence solution for guest portal and a little more control. 

After a long time testing the solution, I stoped in a "problem" or unknown feature in Aruba Controller. 

 

All processes for registration are OK. I´m using Sponsor for Authorize guests and change role by Radius Reply. 

 

I can see my client on Aruba Controller changing the role (guest for registred), and the role "registred" has a Role vlan ID marked to 194 (My Destination vlan for this role) but my device dont change IP Address after change the role. I can see the client with correct role but wrong IP Add.

 

We use that Vlan in Another SSID and dont have any network problem. 

 

How can i do for Aruba controller permit change of Device IP add after Change a role?

 

Guru Elite

Re: Aruba auth on packefence and change role/vlan

VLAN changes are not really possible for this kind of workflow as the client will not re-DHCP. Single VLAN with user roles is the recommended design.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Contributor I

Re: Aruba auth on packefence and change role/vlan

Can´t i use a registration VLAN????

dont believe... 

Im using an isolated vlan for registration with gateway in packefence server. 

After Registration, we choose the role by conditions and radius accept returns this role by message. 

are you shure that it isnt possible?!?!?!?!

its the main concept of NAC, or not?

The same thing that clearpass can  do.

Any difference?

 

I did a test with radius returning VLAN directly, and aruba controller change the vlan automatically.

DHCP works OK and devices can access internet. 

 

My problem is when radius returns a Role and not VLAN

 

 

Guru Elite

Re: Aruba auth on packefence and change role/vlan

VLANs are not security constructs. Use a change in user role to change access.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Contributor I

Re: Aruba auth on packefence and change role/vlan

Capalli,

i just comented that I did a teste with radius replying directly the Vlan number. In this case, the Controller can change Vlan for user/device and the device changes IP by DHCP normally. So, the problem is not DHCP refresh when change VLAn. 

 

Its not my Option. It was a Test.

 

My choose for workflow:

when device not authorized connects, controller send a DHCP from reserved Vlan for registration. This vlan is contained between Aruba Controller and Packetfence and the Gateway for this Vlan is packetfence. Any access for this device is redirected for Packetfence portal. 

After registration process (whatever it is: Password, email, Sponsor...),  packetfence chooses, following some conditions, a role for register and authorize the user/device and this ROLE is sent by packetfence for controller in Radius message Reply as follow:

 

(Jun 26 08:40:51 PacketFence-ZEN pfqueue: pfqueue(4045) INFO: [xxxxx] Returning ACCEPT with role: PF_Guest_Permit_auth (pf::Switch::Aruba::try {...} )) 

 

This Role PF_Guest_Permit_auth is configured on Controller aruba as follow:

user-role PF_Guest_Permit_auth
vlan 194
access-list session PERMITE_TUDO_POLICY

 

When process Finishes, i can see by cli comand "Show user Mac xxx"

that this user/device is connected with correctly options and the Role was applyed for RFC3576 (COA) but VLAN is the same for registration, even role setting for 194.

 

All my chooses on packetfence are by ROLE, according that roles, a specific Vlan should by Applyed. 

 

Id like to publish only 1 SSID, and according with packefence policies, the device is registered on differents Vlans ans Roles in Aruba Controller. 

It is possible??!

 

 

Contributor I

Re: Aruba auth on packefence and change role/vlan

Nobody can help me?!

Guru Elite

Re: Aruba auth on packefence and change role/vlan

Please open a Technical Support case so that they can look at your setup in detail:

http://www.arubanetworks.com/support-services/support-program/contact-support

 

On this forum, we would just be guessing why things are not working the way you want them to.

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: