Yes! Thats the beauty of it :) There is an updated whitepaper that takes you through it - just search for "ArubaOS-Switch Dynamic Segmentation Technical Whitepaper.pdf" The introduction of "reserved-vlan" is a nice touch. A comment on that - you don't need the vlan defined on either switch or controller. Also remember that you need to be on CP 6.7.8, AOS-S 16.08 AND AOS 8.4 for it all to run as smoothly as in the guide.

@@JohnEgilSolberg Hi John, can you elaborate more on the how exactly the reserved vlan works? what i know is that we do not need to configure this VLAN on controller but how exactly the reserve vlan is used as a mechanism to tunnel traffic from SW to MC

Hi John, You're correct by saying that the certificate push is done automatically, however for the sake of speed in the video I forced the download of the certificate. As for adding the VLAN in the secondary user role on ClearPass, you're correct. You don't really need that, you can also see this when you issue the "show port-access client detail" command. There is no VLAN for that authenticated user, it is enforced on the mobility controller. As for the cluster setup, this is a complete automatic process. In a cluster environment you provide the Master IP address as the tunneled-node-server. The mobility master knows all the controller members in the cluster. What will happen is that when the tunneled-node-server connection (control-plane) is established, it will be established with one of the cluster members. This will be the SAC (Switch Anchor Controller). At the same time a dormant tunnel is established with a S-SAC (Secondary Switch Anchor Controller). When the primary fails there is an instant fail over to the S-SAC. The same applies to the user tunnel. The user tunnel is established with the UAC (User Anchor Controller). This is the data plane. There is also a dormant entry creation with a S-UAC so when the active connection fails, there is an instant fail over to the secondary. The tunnel entries are maintained in a bucket map that is maintained by the mobility master. The bucket map contains all the client and switch anchor controller mappings so there is always an up to date connection list. For example, if you have a cluster with 4 members, each SAC/S-SAC/UAC/S-UAC connection is load balanced across all 4 members, this is done dynamically based on the information in the bucket map. Hope this helps.

​@@AirheadsBroadcasting Thanks for the reply! You can't add the MM as IP for tunneled-node-server controller-ip - unless there is some other magic config that needs to be applied to the controller. Like - how would the MM know which MD-cluster and/or MC to terminate the tunnel on?

​@@JohnEgilSolberg​ You are right that you can't add the MM as IP for tunneled-node-server. You need to point it to the IP address of one of the cluster members or to the VRRP IP address in case you have VRRP configured on your cluster. The switch will automatically learn all cluster members and setup tunnels to the SAC and S-SAC.

@@JohnEgilSolberg Hi John-Egil, I have verified this. You just add one of the mobility controller IP addresses. Each MC controller contains the bucket map with all the other MC members, so as soon as you configure the controller IP, the MC sends a bootstrap message containing the bucket map and the SAC and S-SAC connections between the switch and another MC in a cluster will be established. So, for example if you have 4 MC's with IP address 1, 2, 3 and 4 and you configure the controller ip to be 1, a SAC is established with 1 and a S-SAC with one of the other MC's (can be any). And it's all dynamic for the S-SAC. Hope this makes sense.

@@AirheadsBroadcasting Yes it does - thanks for checking up on andverifying this :)

Hello, this could be related to a number of things. First, it is super important that the time on your switch is in sync with ClearPass. So, make sure that your ClearPass and switches are using the same time source. In addition, checkout whether the certificate is downloaded to the switch. You can check this by doing the following: enable debugging on the switch and enable event debugging (debug destination session and debug event). Then issue the command: radius-server host a.b.c.d clearpass (a.b.c.d is the IP address of your ClearPass server). Once you issue the command, the debug screen should show the download of the certificate. If this doesn't happen, then it might be that the https certificate that you are using on ClearPass is not a trusted certificate. If that is the case you have to manually download/copy the certificate onto the switch by creating a ta-profile and copy the certificate in the ta-profile through tftp. If you're certificate is ok, then next to check is whether you have the downloadable user role admin user created on ClearPass and on the switch. This user is used to ssl download the role. If all of these actions don't help, then you have to start debug your security on the switch. Enable "usertn" and "security ssl" debugging and checkout what is happening on the console when you authenticate a device. Typically, most common issues are related to timesync, certificate and dur admin user. Hope this helps.

@@AirheadsBroadcasting in my case ntp and duradmin config s are okey. I upload certificate to switch as you showed in the video. Now i will try to upload https certificate manually.

@@AirheadsBroadcasting I checked certificate on switch. It says pending. I uploaded it manually. This time it says invalid anchor certificate.

@@AirheadsBroadcasting Problem was related with certificate. I created certificate request from CPPM first and signed with our cert server. Then uploaded that certificate to the clearpass. After that everything works fine :)

Hi Joe, I think that's a good idea. Let me work on that.