Wireless Access

Hi 

I have a small setup with an Aruba Mobility Controller + one AP and ClearPass running. Now I would like to automatically put users that connect to my WLAN in the correct VLAN, but in my controller I can only give 1 vlan id per SSID.

So i have 1 SSID and ClearPass need to assign for example Phones to vlan 8 and laptops to vlan 9. (With one SSID) I've tried to create an vlan pool in the controller with all the necessary vlans in it; but then is does nothing. Also if i use in clearpass the vlan id attribute it do nothing. Can someone help me?

You should assign VLANs in the roles, and return a role from clearpass. You can control what VLAN or VLAN Pool a user gets, based on what role they end up in. You can have a role for phones, domain computers, guests, and assign them to separate networks and enforce firewall policies upon them.

To configure the VLAN for the role, make sure you have "show advanced profiles" turned on. From there, open the role, choose "show advanced view", and then go to more. Under here, assign your VLAN to the role.

First of all, thanks for your reply! 

I still don't really understand. You can give a vlan with a role. But in the controller you can only give 1 role with 1 SSID, so also only 1 vlan?
Or am I wrong?

You can always return the RADIUS attribute 'Aruba-User-Vlan' from the CPPM in order to return the a VLAN to the SSID. So you will have your Virtual AP defined with a single VLAN. If the attribute 'Aruba-User-Vlan' is returned from CPPM, it will override the VLAN defined in the VAP profile.

If needed you can also return a 'Aruba-User-Role' which can also being referencing a User Role with a defined VLAN on the controller.

https://www.arubanetworks.com/techdocs/ArubaOS_63_Web_Help/Content/ArubaFrameStyles/AAA_Servers/Configuring_Servers.htm#RADIUS

Thanks for the reply!

I have in Clearpass an enforcement profile to assign vlan 7.

This profile is assigned in my service like you can see:

This service is for the correct SSID i am using, but stil if i connect it wil nog change the vlan to 7.

Just so I understand, if your enviroment despite the user matching the correct Service and the correct Enforcement Profile is assigned (confirmed in Access Tracker) the client is not assigned VLAN 7?

If you run the command 'show user [MAC or IP]' on the controller. It will help identify which VLAN and how that VLAN was assigned.

For example:

Role Derivation: ROLE_DERIVATION_INITIAL_ROLE
VLAN Derivation: Default VLAN
Vlan default: 10, Assigned: 10, Current: 10 vlan-how: 1 DP assigned vlan:0

**EDIT** Can you also post your Enforcement Profile for the VLAN8 & VLAN9? As you can see below (this is for a wired authentication but the concept is the same). Depending on my Tips role (determine by profiling the device in this case), I assign a VLAN based on its context.

This i the command output in the controller:

In the access tracker i see it is accepted en the vlan7 enforcement is also in it:

PS: there is nog vlan 8 and 9 it was just an example for in the future.  

I have only vlan 4 my management and vlan 7 for the guest.

Can you provide the 'show user' output showing the assigned VLAN? The configuration on CPPM appears to be correct if the correct service and enforcement profile is being matched. Is VLAN7 correctly configured on your controller?

This is the output:

What should i configure on my controller? The controller just knows the vlan from the switch.

If you want to assigned multiple VLANs to a single SSID then you need to configure the Enforcement Profiles on CPPM to return the VLANs to the controller. You would also need to configure the VLANs on the controller so the controller can tag/untag the traffic correctly.

Looking at your screenshot the client has been assigned VLAN4, which is the default VLAN. Have you configured (show vlan) VLAN7 on the controller?

For the WLAN you can assign initial roles, default roles, etc for just returning a RADIUS Accept. Same with the VLAN, it would be default. But with roles you can control access by assigning users to them via Clearpass.