I'd disagree that policy-only configurations are "the solution" for such problems. (I honestly can't remember why we have two separate vlans on our one wireless SSID - since the firewall can do role / user-based filtering I'm not sure why the vlans were originally implemented.) (I hope that explanation makes sense - at least as far as trying to articulate what's happening.)įorgive my ignorance - is ClearPass something in the aruba controller?Īnd still for my orignial question: is there a way to remove a DHCP lease so that the client is then forced to renew? The (small) issue is that since the client doesn't get a new DHCP lease in the correct VLAN, it ends up getting passed to the firewall on the wrong VLAN interface - so in the set of firewall policies for a particular vlan we actually have to have role based polciies for users who shouldn't be in that vlan in the first place, only because the aruba controller isn't switching the user into the correct vlan when they get their role assignment from the controller. Everything works as we expect since the firewall policies look at user and not machine.
We actually are using firewall policies that do accurately detect access based on user, even though they still get an IP assignment in the wrong VLAN.
0 kommentar(er)
