ClearPass Tiny Bite 3 – Simplifying & Scaling your VLAN Assignment (Method 1)

Very often in large deployments with multiple Network Access Devices (NAD), we find ourselves in a need to return different VLANs based on the NAD device. Corporate vlan for location X might be different from location Y. This might lead us to create different services to differentiate between the different NADs and thus apply different enforcement policies. However, some other options exist that can help us simplify our policies and operations.

These 2 tiny bites will show 2 simple ways to help you build a very scalable policy without the need to have different service policies based on each NAD. I can think of many other ways to achieve the same but these are the ones I prefer to use.

Method 1: USE VLAN NAME INSTEAD OF VLAN NUMBER

If we check the diagram below, we might need to create 3 different services for corporate users.

  • If a corporate user is coming from Location 1, then apply VLAN 10.
  • If a corporate user is coming from Location 2, then apply VLAN 20.
  • If a corporate user is coming from Location 3, then apply VLAN 30.

However, a more scalable way is to apply a named VLAN instead of returning the vlan number. As such, we can have one policy

  • If a corporate user is coming from any location, then apply named VLAN “Corporate”.

The trick here, in every site, we map the vlan name to the associated vlan number as part of the NAD config. In the below example, we mapped vlan 99 to the vlan-name Corporate.

On ClearPass side, we just return the vlan name and not the vlan number. Please note that different NAD devices require different Radius attributes to accept the vlan name so please check their corresponding documentations.

The enforcement profile that is needed for all Corporate users is shown below.

As such, once the user authenticates against ClearPass, it will return this radius attribute with the vlan name specified.

If the user authenticates from another location, he will still get the same named vlan but it will be mapped to a different vlan number on that controller.

In the next bite, I will show another way to achieve the same outcome.

One comment

Leave a Reply