Wireless Access

Reply
MVP

vlan derivation - any solution left?

Breaking my head over this.. did I finaly get something I cannot solve with Aruba products?

 

We have a need to do machine and user authentication on an 802.1X SSID.

The problem is however is that we need to give different vlans for machine-only, user-only and full-auth'ed clients using MS NPS.

 

Apparently 6.3 changed things up a bit and I can no longer return aruba-user-vlan vsa for user-only and/or machine-only.

Also user-role based vlans are not possible (anymore?). 

  • Role Based VLANs from the intermediate Machine Roles “Machine Authentication: Default Machine Role” and “User Authentication: Default User Role” will not be honored. The only state where derivation of any type is honored for the client is when it passes both Machine-auth && user-dot1x auth.

So am I right in thinking Aruba no longer has a solution to give different vlans for machine-only or user-only authenticated users? Or has anyone here have an idea how to circumvent this?

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Guru Elite

Re: vlan derivation - any solution left?

My only contribution is that this is possible with ClearPass because the user/machine auth piece is offloaded.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
MVP

Re: vlan derivation - any solution left?

Unfortunately it isn't. Even with clearpass this is no longer possible.

 

Clearpass is a fix for the full-auth clients but for that 802.1X Authentication Default Role I can still use the role based vlans. Just the intermediate machine and/or user roles I can no longer use role based vlans and/or vsa's!

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Guru Elite

Re: vlan derivation - any solution left?

I have this configured with ClearPass without any issues.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
MVP

Re: vlan derivation - any solution left?

mmm,  now that you mention it that does seem logical since with clearpass you wouldn't enforce machine auth on the controller and those machine -auth and user-auth roles don't come in to play.

 

Thanks!

 

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Guru Elite

Re: vlan derivation - any solution left?

Exactly. Turning off enfore machine auth adds a lot of flexibility on the ClearPass side using the built-in [User Authenticated] and [Machine Authenticated] role contexts.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: