Cloud Managed Networks

Hopefully you can help me with the following challenge. A few weeks ago, we changed our infrastructure and migrated to Aruba Central. All our APs are now running AOS10 and are also managed in Aruba Central.

We have an enterprise environment with the following setup:

• 2 locations
• Connected via dark fiber
• Wi-Fi managed in Aruba Central
• Core switches replaced by CX 8100
• One location equipped with 6200 switches
• The other location still has older Dell switches
• Firewall
• +/- 3500 users (95% of laptops are Intune-managed)
• Azure Active Directory (no on‑prem AD anymore)

Previously, we used a /16 network for Wi-Fi where all devices were placed in this network, and to split the broadcast traffic, we used 3 different VLANs:

• VLAN 100 = For users at location 1 (/23)
• VLAN 200 = For users at location 2 (/23)
• VLAN 300 = Old Wi-Fi VLAN for all other users (/16)

We use a captive portal to ensure that all users must authenticate using Cloud Auth.

For this, we use VLAN 300, with the Captive Wifi SSID CORP-Onboard giving users 10 minutes of internet access so they can download the HPE Onboard tool.

On this portal, we have placed the link for installing the HPE Onboard tool. Because all laptops are Intune-managed, we have already silently installed the tool.
On this page, users can also indicate that they already downloaded the HPE Onboard tool and continue to install the network profile.

Up to this point, everything works fine. But after that, the problems begin. Once users install the certificate and try to connect to the Wi-Fi network created for Cloud Auth, issues arise.
This Wi-Fi network is called CORP-Cloud-Auth.

This Wi-Fi network uses WPA3-Enterprise (CCM 128).

Under the VLAN tab, the following configuration is used:

• Default VLAN = Dummy
• If Aruba-User-Role equals User, assign bridge VLAN: VLAN 300
• If Access point-name contains loc1, assign bridge VLAN: VLAN 100
• If Access point-name contains loc2, assign bridge VLAN: VLAN 200

Under the Security tab, we configured the primary server as Cloud Auth.

Under the Access tab, the network is set to network-based with the rule:
Deny any to all destinations.

The issue we are experiencing now is that after installing the certificate, users sometimes need to restart their laptops before they can connect, but sometimes not.
They do connect to the network, but receive an APIPA address.

When we restart, again, sometimes they get an IP address and other times they do not.

Can you give us an idea of where this problem might be?

Hopefully you can help me with the following challenge. A few weeks ago, we changed our infrastructure and migrated to Aruba Central. All our APs are now running AOS10 and are also managed in Aruba Central.

We have an enterprise environment with the following setup:

• 2 locations
• Connected via dark fiber
• Wi-Fi managed in Aruba Central
• Core switches replaced by CX 8100
• One location equipped with 6200 switches
• The other location still has older Dell switches
• Firewall
• +/- 3500 users (95% of laptops are Intune-managed)
• Azure Active Directory (no on‑prem AD anymore)

Previously, we used a /16 network for Wi-Fi where all devices were placed in this network, and to split the broadcast traffic, we used 3 different VLANs:

• VLAN 100 = For users at location 1 (/23)
• VLAN 200 = For users at location 2 (/23)
• VLAN 300 = Old Wi-Fi VLAN for all other users (/16)

We use a captive portal to ensure that all users must authenticate using Cloud Auth.

For this, we use VLAN 300, with the Captive Wifi SSID CORP-Onboard giving users 10 minutes of internet access so they can download the HPE Onboard tool.

On this portal, we have placed the link for installing the HPE Onboard tool. Because all laptops are Intune-managed, we have already silently installed the tool.
On this page, users can also indicate that they already downloaded the HPE Onboard tool and continue to install the network profile.

Up to this point, everything works fine. But after that, the problems begin. Once users install the certificate and try to connect to the Wi-Fi network created for Cloud Auth, issues arise.
This Wi-Fi network is called CORP-Cloud-Auth.

This Wi-Fi network uses WPA3-Enterprise (CCM 128).

Under the VLAN tab, the following configuration is used:

• Default VLAN = Dummy
• If Aruba-User-Role equals User, assign bridge VLAN: VLAN 300
• If Access point-name contains loc1, assign bridge VLAN: VLAN 100
• If Access point-name contains loc2, assign bridge VLAN: VLAN 200

Under the Security tab, we configured the primary server as Cloud Auth.

Under the Access tab, the network is set to network-based with the rule:
Deny any to all destinations.

The issue we are experiencing now is that after installing the certificate, users sometimes need to restart their laptops before they can connect, but sometimes not.
They do connect to the network, but receive an APIPA address.

When we restart, again, sometimes they get an IP address and other times they do not.

Can you give us an idea of where this problem might be?