Wireless Access

Hey guys.

At the moment I am really frustraded.
I have a ClearPass 6.7.x appliance and I would like to authenticate wireless clients (like mobilephones, notebooks, etc.) with 802.1X.

When a user connects to the network with a notebook, he should get VLAN "130".

When this user also connects to this network with a mobile device, he should get VLAN "132".
On ClearPass I made a Enforcement Profile like this:

This Profile should move the user in the specific VLAN.
I mapped this profile to a Policy and mapped this also to a Service.

Now my problem appears.

The User connects to the SSID wich is provided by a Aruba Controller 7024.
ClearPass said "user authentication successfull" and mapped profile = ergo-VLAN_130.
So I think that from ClearPass-Site everything is ok.
But the Controller don´t understand the Aruba-User-VLAN-Attribute.

How can I configure my controller, that it gives differnt VLANs to differnt situations initiated by ClearPass?

In another thread I read, that I should create a VLAN-Pool and map all the needed VLAN´s in this pool.

But when I do so, nothing happens.

Just to clear the situation --> I have only ONE SSID and the controller should assign differnt VLAN´s to differnt users or devices initiated by ClearPass.

With an IAP i don´t have such trouble cause an IAP takes all VLAN´s he knows and when ClearPass send Aruba-User-VLAN-Attribute like VLAN130 the IAP moves the device into VLAN 130 without any trouble.

Only in controller I cant find any configuartion to do this, like i just done it on an IAP.

Could anone help me?

Thanks in advance and best regards
Falk

Do this on the Aruba controller:

config t
logging level debugging security process authmgr
logging level debugging security subcat aaa

Authenticate your user.  After the user is authenticated, type "show log security 50" to see what attributes are being received from the radius server.

Hey Joseph.

Thanks for the fast reply.

I attached a file with information out of your command

At the moment I´ve set up the SSID configuration with a VLAN-Pool Named "Clents" and it has just one VLAN inside --> VLAN 130 but even this doesn´t work.

Could it be that the role "cpbase" has to do with my issue?
But I think it is just a Firewall-Rule.

I just want, that the controller knows all needed VLAN´s and assignthem to the sent tags from ClearPass.

Attachment(s)

Show_Log_security.txt   8 KB 1 version

Hey Victor.

Yes they are.
We are use this two VLAN´s on other SSID´s and there they are working perfectly.

But in these two other SSID´s we are using Microsoft RADIUS Server to just authenticate the user in Active Directory without any VLAN assignment from RADIUS-site.

So when the user authenticates on this SSID successfully, the VLAN will be assigned by the contoller.

I just don´t understand why I can get a dynamic VLAN on an IAP with configuration "Network assigned" in VLAN Configuration on IAP.

And I don´t can configure the same on an aruba controller.

There must be a way to set it up, like the setups in an IAP.

Both are Aruba Products with almost the same features and possibilities.

Thanks for help I am really glad about that.

Regards Falk

Hey everyone.

I think I solved it by my own.
In order of further searching about dynamic VLAN assignment, I found a post, which gaves me a tipp.

http://community.arubanetworks.com/t5/Wireless-Access/Dynamic-vlan-assignment-with-radius-and-Aruba-Controller/m-p/221332

Almost at the end of the first page, I found a little entry and I tried it out.

To send VSA to aruba controller, you have to set a specific value at the "server group"

After you´ve entered the server(s) into the servergroup, you also have to set a "Server Rule" in my case we need the following

Only with this setting, the aruba controller can handle with VSA sent from ClearPass.

I´ve tested it by set the VLAN-Pool to the SSID, with Vlan 130 and Vlan 132 in it.

In my service for wireless 802.1X authentication I´ve inserted a enforcement policy like that:

After that I was able to test.
If a user comes with a mobile device, clearpass sent the VSA to put this device in VLAN 132, and when I connect with my notebook it will be moved into VLAN 130.

This was all I need.

What a pity, that these in aruba controller is such difficult.

In an IAP it works better.

But no matter, now I am able to go further and I learned more again.

If anyone has another opinion for that, please let me know.

Cause I am not 100% sure if the settings I´ve set, are the right settings.

Maybe there is also another solution or way to solve my acctual problem.

Thanks to all for help.

Best greatings from Germany :o)

With the Aruba-User-Vlan VSA, you should not have to write a server derivation rule in the server group.  Please run the debug and "show log security all" to see if you are receiving the Aruba-User-Vlan VSA in the radius messages.

Hey everyone!

Joseph were absolutely right.

You don´t need a specific server rule on the controller, like I wrote yesterday.
Today morning I removed the server rule from controller and I wanted to test the authentication in interaction with the debug log (like Joseph wrote yesterday)

I was really confused, that even I´ve removed the server rule, the authentication has been succsessful.

Then I remembered that I also made changes in the AAA-Profil and also in the 802.1X-Profil.

I had before following settings (cause I didn´t know it better)

Cause I didn´t know what these roles are doing I thougth, that I just have to take a role, where nothing is in it and the system don´t have any restrictions (cause no restrictions were made in these role).

But I was so wrong in this.

A role, which is empty, deny any traffic, cause the role don´t know what to do.

After that, I changed the settings in a default role, which has the value "allow all" and suddenly I have connection and everything works fine.

I also understood, that I have to set the "802.1X Authentication Default Role" in AAA-profile with a role, which has connection to ClearPass and a DHCP-server.

The only thing I don´t understand for now is the difference between "802.1X Authentication Default Role" in AAA-profile and the "Machine Authentication: Default Machine / User Role" in 802.1X-profile.

Maybe someone can tell me that.

But anyway, I think now everything works like I want.

Many thanks to all.

PS. Maybe someone has a "Best Practice" for settings in Aruba Controller in interaction with ClearPass.
Cause should I "open" my controller and set all ACL´s on swich or should I set ACL´s with ClearPass roles?
A paper with best practices would be very useful

Regards

Falk

Do you have the policy enforcement license (PEFNG) installed on the controller? 

Hey Joseph.

If you mean this:

YES :o)

ok.

What probably happened is that when you added the PEFNG licenses, you did a "write mem" or save configuration before rebooting.  PEFNG comes with a list of default roles, and ACLs, and when you write mem after adding the license, all of those get wiped out, if you don't just reboot without "write mem".  I noticed this, because of the presence of the "cpbase" role, which is what you have when you don't have a PEFNG license.

The end result is that alot of roles and ACLs end up having no firewall policies.  If you can contact TAC, they should be able to give you a list of default firewall policies and roles that you can paste into your controller.

You can contact TAC here:  http://www.arubanetworks.com/support-services/support-program/contact-support

Hey again.

Ok, that is really interessting!

So if I understood correctly, when I add a PEF / PEFNG License, I have to reboot the controller anyway AND WITHOUT "write memory" or "save configuration".

Is that right?

I didn´t add such licenses to controller in my life until now.

And normaly I thought, you add the license into the controller without to do any reboot.

But it could be that my colleagues added the license years ago and did "write mem" (I can´t tell you that, that was before my time :o))

Thx for the tipp with TAC.

I will open a case and hope they can help me.

Correct.

If you do a "write mem" before rebooting, it will not create the default ACLs or roles that come with the PEF license.  The cpbase role exists without the PEF license, but is removed after you add PEF.