No, you don't need to configure a VLAN on the port in advance, you can assign a VLAN based on the Computer/Machine authentication.
As Colin mentioned, you should avoid switching VLAN. If you want to change access, change User Roles instead and link the access to the User Roles.
For new deployments, you
may also have a look at TEAP which combines User+Computer authentication in a single (chained) authentication.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Jan 09, 2023 05:09 AM
From: Alon Haber
Subject: Clearpass - Connecting from VPN with RDP
Yes,
I have just seen the first video you recommended.
I will watch the older one as well, hoping to get it better.
But I want to understand better the combination of a machine with user authentication.
My plan was to switch VLANs according to the user credentials. So if it's an IT user he will get an IT VLAN. If it is a management user it will get mgmt VLAN. and so on.
In the setup you suggested. I have to configure the VLAN on the port in advance, Don't I?
So it makes the plan of VLAN switching problematic.
------------------------------
Best regards,
Alon Haber
Original Message:
Sent: Jan 09, 2023 03:54 AM
From: Herman Robers
Subject: Clearpass - Connecting from VPN with RDP
Did you see this video?
And here is another video (from the older series) that shows where the client configuration is.
Hope that helps?
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Jan 08, 2023 04:01 AM
From: Alon Haber
Subject: Clearpass - Connecting from VPN with RDP
Hi Herman,
Thanks again.
So among all your awesome videos. Do you have something that explains how to configure machine+user authentication?
------------------------------
Best regards,
Alon Haber
Original Message:
Sent: Jan 05, 2023 11:19 AM
From: Herman Robers
Subject: Clearpass - Connecting from VPN with RDP
That would be one option, but be aware that the client will need to do a DHCP renew when switching VLAN, which is why VLAN switching is not really recommended. It would be better to switch roles (to control traffic) and stick in the same VLAN; but if it works and is well tested, VLAN switching may work. For example roaming profiles may break/get corrupted if you switch VLAN in the middle of retrieving/saving. For that reason, just doing computer authentication and/or not switching VLANs may be the better option.
In short, if you have machine+user, the computer will authenticate with the computer account when nobody is logged on, and reauthenticate as user when a user signs in.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Jan 05, 2023 09:06 AM
From: Alon Haber
Subject: Clearpass - Connecting from VPN with RDP
So if I am doing machine authentication.
I can Gives it specific VLAN when it is loggod of, and another VLAN if it login (VLAN assigning according to the user AD credentials)?
I am not sure what is the flow when I am using both machine authentication and user authentication according to AD.
------------------------------
Best regards,
Alon Haber
Original Message:
Sent: Jan 04, 2023 05:53 AM
From: Herman Robers
Subject: Clearpass - Connecting from VPN with RDP
That probably would work. Still, I would recommend configuring computer/machine authentication such that a logged-off computer can authenticate to the network rather than allowing even unauthenticated clients to connect to your AD services.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Jan 04, 2023 04:39 AM
From: Alon Haber
Subject: Clearpass - Connecting from VPN with RDP
I am doing authentication on that port.
But I want to have some default VLAN that gives access to DHCP, DC, and Clearpass.
Can't I put VLAN 999 in access, and only after authentication to replace the Vlan according to the User's AD credentials?
------------------------------
Best regards,
Alon Haber
Original Message:
Sent: Jan 02, 2023 10:26 AM
From: Colin Joseph
Subject: Clearpass - Connecting from VPN with RDP
If you are not doing any type of authentication on that port, yes.
------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
Original Message:
Sent: Jan 02, 2023 10:11 AM
From: Alon Haber
Subject: Clearpass - Connecting from VPN with RDP
If I put the interface on vlan access 999 and have connectivity in this VLAN (with access to DHCP server and to clearpass)
Wouldn't it be enough for the machine to get IP address in vlan 999 ?
------------------------------
Best regards,
Alon Haber
Original Message:
Sent: Jan 01, 2023 09:33 PM
From: Colin Joseph
Subject: Clearpass - Connecting from VPN with RDP
You would have to configure machine authentication on the client machine for the device to have an ip address when logged out.
------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
Original Message:
Sent: Jan 01, 2023 06:12 AM
From: Alon Haber
Subject: Clearpass - Connecting from VPN with RDP
Hi,
I setup Clearpass cluster and assign VLANs to a workstation according to its Active directory user login.
When the workstation is logged out there is no active VLAN on the port. Only dum VLAN (999) which is not configured on the network, only locally on the switches.
As soon as login is processed, the interface got the correct VLAN for the user.
My problem is when a client wants to connect to the workstation with RDP.
When the workstation is not logged in, it has no IP address. So there isn't an option to connect to it.
What is the best solution for that kind of problem?
Generating a transition VLAN is the only possible way?
And if it does, Do you have any suggestions what is the most secure way to configure this transition VLAN?
------------------------------
Best regards,
Alon Haber
------------------------------