Wireless Access

Hi,

We have controller 7210, cppm (as radius) AP 205, 105

controller is located at central location & AP is at different locations.

Can i use tunnel mode & bridge mode SSID in single AP group?

will it work?

Thanks in advance..

Yes.

Hi,

It is obsolutely possible to configure 2 SSIDs with two different forwarding modes,

An ap-group can have multiple VAPs (Virtual APs) and each VAP can be configured with different forwarding mode.

In your case you have to create two VAPs and mapp them to the Ap-group.

Eg :

Ap-group

VAP1-- Tunnel mode 

SSID1

AAA

VAP2 -- Bridge mode

SSID2

AAA

Hope it is clear. if not clear please feel free to come back :)

Cheers,

Venu Puduchery

Hi,

Actually, I am using tunnel mode in our setup. There are 10 branches connected to controller(At central location) but  wireless user unable to get printer access(connected on wired nettwork)

As per cutomer requirement, only user auth + machine authenticated users should get wireless access. I am able to achieve this requirement in tunnel mode but not in to bridge mode.

Bridge mode only supports user authentication.

Is there any alternative to achieve the same?

Thanks..

nik-mh,

How are you enforcing machine authentication?  Are you using the controller's "Enforce Machine Authentication" or are you using a radius server to check that the device has passed user and machine authentication?  

I am using CPPM for vlan enforcement & to verify the user authentication + machine authentication.

Nik-MH,

If you are using CPPM, is it sending back a VLAN that is not trunked to the physical interface of the bridged AP?  When you send back the VLAN attribute for a bridged VAP, that VLAN must exist on the AP's switchport trunk.

Colin,

The vlan is exist on my branch switch & bridge AP is getting same range IP address(10.128.10.X).

Even wireless user is also getting same IP address(10.128.10.X) but only the user authentication base.

how to achieve the user + machine auh?

nik-mh,

The VLAN# that you are sending back is specific to the port that the AP is plugged into.  If the user ends up in a VLAN that is not trunked to the AP, the user will not go anywhere.  Do you have your access points at the branch plugged into trunk ports?  Is the VLAN you are sending back allowed on that physical port?

If you do not have your access points on trunks at the branch, you cannot send back VLANs in your enforcement profile.  It will not work.

Colin,

Yes. the branch AP is plugged on trunk port & vlan is also passed through that trunk port.

wireless user is getting IP address from same vlan if i use only user authentication.

You should turn on user debugging to find out what is going on.

Hi Colin,

PFA of user debuging.

there is default allow all cppm enforcement policy configured for bridge mode SSID.

Branch user is getting correct IP address but without machine authentication.

My question is that, which SSID configuration mode support for user auth + machine auth?

Nik...

Attachment(s)

vlan enforcement.txt   3 KB 1 version

ClearPass should send back a reject if the user does not pass user+ machine authentication.  Clearpass should enforce your policy.

User + machine auth is prefectly woking fine in Tunnel mode.

Will it work in bridge mode also?

As per tac bridge mode not support machine auth..

nik-mh,

Let's be clear:

If a device authenticates successfully using 802.1x, it is supported in bridge mode.  So if your CPPM is allowing a device to authenticate successfuly, it should work with user authentication, machine authentication, in bridge mode

If we have "enforce machine authentication" enabled in the 802.1x profile of the Aruba controller this is not supported in bridge mode for machine authentication.  

Only people who do not have an external radius server like clearpass to check for user+machine authentication enable "enforce machine authentication" on the Aruba controller.  If you have "enforce" enabled in your 802.1x profile on the Aruba controller, please uncheck it so that ClearPass can enforce the user+machine policy.

Thanks for clearity...

I will try the same tomorrow & will update the same.