Wireless Access

Reply
Occasional Contributor II

Re: can I use dhcp finger print to isolate devices in a specific VLAN

802.1x with the user derivation rule crated "android"

Guru Elite

Re: can I use dhcp finger print to isolate devices in a specific VLAN


@Adrian.lupea@dc-uoit.ca wrote:

802.1x with the user derivation rule crated "android"


Adrian.Lupea, 

 

What version of ArubaOS are you using?

Are clients being put into that role with the user derivation rule?

Are clients being put into that VLAN? (show user-table verbose)

 

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Occasional Contributor II

Re: can I use dhcp finger print to isolate devices in a specific VLAN

ArubaOS ver 6.1.3.5

I have only one role and I have added the user derivation rule to that role so all devices are in the same role.

Some of them are some of them are not.

 

adrian

Guru Elite

Re: can I use dhcp finger print to isolate devices in a specific VLAN


@Adrian.lupea@dc-uoit.ca wrote:

ArubaOS ver 6.1.3.5

I have only one role and I have added the user derivation rule to that role so all devices are in the same role.

Some of them are some of them are not.

 

adrian


Adrian,

 

For this to work with 802.1x you need to be running ArubaOS 6.2 and above (please see release notes screenshot in a previous post).  It will NOT work with 6.1.x

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Occasional Contributor II

Re: can I use dhcp finger print to isolate devices in a specific VLAN

Thanks. I have missed that. I will upgrade.

 

Adrian

Occasional Contributor II

Re: can I use dhcp finger print to isolate devices in a specific VLAN

It's working so far. Hope that this will be the solution. Thanks eveyone.

 

adrian

Occasional Contributor II

Re: can I use dhcp finger print to isolate devices in a specific VLAN

Although I have a certain number of devices in the assigned VLAN the controller doesn't capture a large number of them. Here are my questions:

 

1. Is there more DHCP fingerprinting that I can use beside 3C64686370636420342E302E3135?

2. I can see a lot of devices are not authenticated but that will not stop them form receiving an IP. Is there a way to not allow an IP until logged in?

3. Anybody noticed a discrepancy on the users numbers between dashboard and monitoring screens? there are more users in the monitoring>clients and all of them have IPs and there are less users in the dashboard and a lot of users are not displaying any IPs.

 

thanks,

 

Adrian

Highlighted
Occasional Contributor I

Re: can i use dhcp finger print to isolate devices in a specific VLAN

we are facing issues with device finger printing 

controller: 6000

OS:6.3.0.2

ssid : 802.1x with windows 8 nps

dhcp: windows 8 dhcp server 

 

Issue: There are  three ap groups for three buildings, when user moves from one group to another the user rule which is set to assign vlan based on the device type doen't work . for eg 

ap group 1 . all ipads -vlan 1 ssid: staff

ap group 2 .all ipads -vlan 2  ssid: staff

device type:ipad

 

when the user is in ap group 1 the user rule assign ip from vlan 1 but when the user moves to ap group 2 the ipaddress is still from vlan1 ,  however if we connect to another ssid and get a different ip  (say guest) and try to reconnect back to the staff ssid then the device will get ipadress from vlan2 . Any help

Thanks

 

Guru Elite

Re: can i use dhcp finger print to isolate devices in a specific VLAN


@binujacob wrote:

we are facing issues with device finger printing 

controller: 6000

OS:6.3.0.2

ssid : 802.1x with windows 8 nps

dhcp: windows 8 dhcp server 

 

Issue: There are  three ap groups for three buildings, when user moves from one group to another the user rule which is set to assign vlan based on the device type doen't work . for eg 

ap group 1 . all ipads -vlan 1 ssid: staff

ap group 2 .all ipads -vlan 2  ssid: staff

device type:ipad

 

when the user is in ap group 1 the user rule assign ip from vlan 1 but when the user moves to ap group 2 the ipaddress is still from vlan1 ,  however if we connect to another ssid and get a different ip  (say guest) and try to reconnect back to the staff ssid then the device will get ipadress from vlan2 . Any help

Thanks

 


If you have a client that is roaming from one access point to another on the same SSID, the client will assume that it is on the same VLAN and not attempt to obtain a new ip address.  If you change the VLAN in the background the client will think it is on the same VLAN and NOT obtain a different DHCP address.  If you change SSIDs, however the client will always attempt to get another DHCP address because it assumes it will be on a new VLAN.  Do not design your network where the network is changed in the background when your client roams to another access point on the same SSID.  It will not work in the majority of cases and is not a good strategy.

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Occasional Contributor I

Re: can i use dhcp finger print to isolate devices in a specific VLAN

we are forced to do this because of the apple tv /ipad airplay issues

we have more 128 apple tv's distributed across the campus . ipad have  limitation of displaying only 64 apple tv's in airplay 

so what we did is as below

 

divided the campus in to three ap groups based on building

ssid -staff-building 1-ap group 1 - aaa servers -group 1 - apple tv's in vlan1 (wired) - staff will get vlan 1     (no: of apple tv's 40)

ssid-staff -building 2 -ap group 2 - aaa servers -group 2 - apple tv's in vlan 2 (wired) - staff will get vlan 2   (no: of apple tv's 40)

ssid-staff -building 3 -ap group 3 - aaa servers -group 3 - apple tv's in vlan 3 (wired) - staff will get vlan 3   (no: of apple tv's 48)

This is working perefectly fine with out enabling airplay on aruba and client romaing is also fine . when staff goes from ap group 1 to ap group- 2 device gets the correct vlan and dhcp . This is working fine with windows/ios/android. Now what we are trying is using device finger printing trying to isolate ipad's by putting the user specific rules . when we enable user specifi rule and the user roams from one ap group to other the vlan doesn't changes automatically ,however if we disconnect and connect to guest network and get a different lease and reconnect back to staff ssid then the vlan /dhcp comes correctly . any advise 

Thanks

Binu 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: