Some generic guidance, as you should work with your Aruba partner to get this properly designed and implemented.
You probably should not use VLAN switching, better use role switching. Not all clients properly get an IP address in the new VLAN if you switch the VLAN from the network side, as the client may not know.
Further, if you want to use posture status, make sure the OnGuard can communicate to ClearPass regardless the VLAN the client is in; if clients can be places in the guest VLAN (depending on the posture status), make sure the communication is possible.
If ClearPass currently does not respond to changes in Posture (like unknown -> healthy, or healthy -> unhealthy), that is something that can be resolved with the Enforcement policy on the Onguard Webauth service. A disconnect-user or port-bounce (wired) should trigger a new authentication where the new posture status is taken into account.
The following videos may give you some more guidance on OnGuard deployment.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Mar 24, 2024 10:19 AM
From: vovocals
Subject: VLAN Segmentation issues on Clearpass
Vlans on the switch
Vlan 5( guest )
Vlan 74( corporate)
Vlan 225( employee)
Vlan 226(quarantine)
How its suppose to be ,
1)when a user uses domain credentials or local credentials to authenticate if its a byod device it should stay on vlan 225
If a user uses domain credentials to authenticate , if the user is authenticating with a corporate laptop with agent on it and the agent reads healthy it should go to 74
If a user has the agent on the corporate laptop and it reads infected it should go to quarantine vlan to remediate
Issue :
When a user authenticates and the user get enforced into a certain vlan (eg employee valn) ( vlan 225 ) , if the now agent now gets installed on the laptop the posture agent won't be able to communicate with the aruba on that vlan , when you now disconnect from that port and plug to a free port on 74 vlan the agent then communicates with the aruba and marks the system healthy,When the posture reads healthy and then you authenticate with the right vlan it keeps you on 74 , if you now fail a posture on purpose the aruba will.just alert you that you're failing the policy but won't move you to the other vlan immediately, you'll have to manually disconnect and reauthenicate before it puts you in the right vlan (quarantine)
If you're now in quarantine vlan and then you remediate by turning on your firewall the posture won't show healthy cause it won't be able to communicate with the aruba , so it stays there hence not moving you back to 74 automatically
Issue 2 , if you use coa on the access tracker to block a device, you'll have to go to endpoint and look for the device mac and then change an attribute before its unblocked ,
Issue 3
When a user uses domain credentials and then passes all the policy , instead of the user to get 74 ip , recently it started getting 150
Wireless issue
All ssids are attached to a certain vlan
74(main
225(emp)
5(guest)
If a user uses guest ssid to connect it shows captive portal and gives you 5 ip
If you use corp ssid with a user role that states employee or no posture available on that system it gives you emp ip
If your use corp ssid with no posture if gives you 225 ip
If you use corp ssid with posture available and healthy it gives you 74 ip
These are the correct behaviour
Issue:
1 if you install agent on the system and you use corp ssid and the system is healthy it gives you 74 , if you purposely fail it shows not healthy , but you'll have to disconnect and connect back to that ssid before it gives you 225 or 226 ip
When you enter 225 you won't be able to communicate with the agent
2
If you login in with employee role and you get sent to employee vlan and then the posture reads healthy , you will still have the emp vlan ip until you disconnect and reconnect before it gives you 74