Wireless Access

Reply
Occasional Contributor II

Use external DHCP server for VIA clients

Hi all,

I have 7210 controllers with latest IOS; they currently use L2TP pools when users utilise the VIA client on our VPN.

The pools work fine but I would like to assign the addresses they get via an external server on our network. It’s external in the sense it’s not a dhcp pool on the controller - this will be a windows server with DHCP service enabled.

So ideally the flow would be:

Users connect through VIA
Hit clearpass and given a role
Role in the controller is set to use dhcp (not the current L2TP pool)
The windows dhcp server assigns address

Is there a way to configure the above? :-)
Guru Elite

Re: Use external DHCP server for VIA clients

No.  Via clients can only acquire an ip address from a pool.  That pool can include ip addresses in a subnet on an ip interface of the controller and work just fine.  You could exclude some ip addresses from the dhcp pool and only supply those addresses via the l2tp address pool.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Occasional Contributor II

Re: Use external DHCP server for VIA clients

Thanks for your response

My real issue is we assign a dhcp reservation for some of our users to keep the same IP address every time they log in.

This then allows a firewall rule giving that IP address unique access to part of our network.

This is only needed for a couple of our users ... but is still needed.

Dhcp reservation from a windows server is all I can think of so far ... but if it can’t be done; maybe something more elegant using clearpass? Maybe that user has a custom security group in AD and then clearpass directs them to a static address etc?

Thanks
Guru Elite

Re: Use external DHCP server for VIA clients

This might be a pain, but you can try it:

 

Create 1 pool with only the ip address you need for the first user

Create another pool with only the ip address you need for the second user

Create a role for the first user and attach the first VPN pool to that role

Create another role and attach the second VPN pool to that role

Screenshot 2018-11-02 at 16.13.48.png

When the first user authenticates with VIA, the radius server should return the aruba-user-role attribute with the first role and assign the first pool

When the second user authenticates with VIA, the radius server should return the aruba-user-role attribute with the second role and assign the second pool.

Everyone else you do not return a role and they should get the default pool

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Occasional Contributor II

Re: Use external DHCP server for VIA clients

We’re using clearpass ... would this need a custom attribute in active directory so that clearpass can recognise the individual users that require this special pool?
Guru Elite

Re: Use external DHCP server for VIA clients

You would not.

 

In clearpass you could add an enforcement policy rule that says "authentication username equals <that username>" and then execute the enforcement policy that would send back the aruba-user-role attribute.  

I would contact TAC to get you squared with that so that you do not affect the user's regular 802.1x authentication.  Again, this is complex.  I would try to get the VIA certificate authentication working on the default port, first, which is equally complicated.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Occasional Contributor II

Re: Use external DHCP server for VIA clients

Ah ok - that sounds good.

Would this simple be an enforcement policy additional to the current profile that matches a username, then sends a custom role depending if the user matches the username ... if it does not match then user simple gets the normal role?

Thanks
Guru Elite

Re: Use external DHCP server for VIA clients

It would be a LINE in the current enforcement policy, and it would send back an enforcement profile that returns the role.  Again, those users also authenticate via 802.1x so you would have to have an additional condition to differentiate between 802.1x authentication and VIA authentication.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Occasional Contributor II

Re: Use external DHCP server for VIA clients

Thanks :-)
Frequent Contributor I

Re: Use external DHCP server for VIA clients

Hello Everyone!

 

I was searching for this issue, and I can see that it cannot be done apparently (use external DHCP server for via). But here is the kick for me: How does the VIA client get its default-gateway?

 

After VIA establishes the IPsec point-to-point tunnel to controller, how can I handle traffic and send it to a firewall for traffic filtering and routing? If I would be able to use external DHCP for via client, then I could push down dgw, but in this scenario I cannot do that apparently.

 

Basically thhe scenario I want to achieve is kind of like when you have wireless access and a controller in an L2 mode. The associated Wireless client (in our case VIA client) traffic is sent to controller through the AP GRE tunnel (in our case IPsec tunnel) and then gets sent to the default gateway for routing.

 

Can this be done?

 

Br.

Daniel

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: