Aruba Instant & Cloud Wi-Fi

Reply
Occasional Contributor II
Posts: 51
Registered: ‎03-13-2014

RADIUS attributes on IAP

Hello,

 

I am trying to set up multiple VLANs on an SSID and assign them based on some attributes from LDAP, provided by the RADIUS server. I mapped an LDAP attribute businessCategory to User-Category in freeradius. I saw there was a way to show what attributes RADIUS was providing by running some console commands. I am not sure if these work on the IAP as well though?

 

Long story short, it isn't working and I need to figure out why :)

 

First step was to check and make sure the attribute was being provided to the IAPs.

 

Thanks.

Occasional Contributor II
Posts: 51
Registered: ‎03-13-2014

Re: RADIUS attributes on IAP

I did some troubleshooting on freeradius and found it is serving the attribute, but not sure if it is making it to the IAPs.

 

radiusd[83078]: Login OK: [robert/<via Auth-Type = EAP>] (from client mustang port 0 cli 00:23:14:36:68:6C) sysadmin

 

Note sysadmin at the end is the value of the attribute for robert (me).

MVP
Posts: 1,413
Registered: ‎11-30-2011

Re: RADIUS attributes on IAP

not sure about the IAP, but you could see if you cant capture the network traffic before the IAP.

Occasional Contributor II
Posts: 51
Registered: ‎03-13-2014

Re: RADIUS attributes on IAP

Will that work if I am using EAP-TTLS?

MVP
Posts: 1,413
Registered: ‎11-30-2011

Re: RADIUS attributes on IAP

so far i have always been able to see radius packets and there content.

Aruba
Posts: 1,368
Registered: ‎12-12-2011

Re: RADIUS attributes on IAP

What is this attribute that you are sending back?  Aruba-User-Role?  filterid?  Something else?  Is the role based access in the SSID set up to apply the role based on these attributes?

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Occasional Contributor II
Posts: 51
Registered: ‎03-13-2014

Re: RADIUS attributes on IAP

The attribute is User-Category. I set up the SSID with the different VLANs, the role is currently unrestricted since we have separate VLANs and a firewall between the VLANs.

Aruba
Posts: 1,368
Registered: ‎12-12-2011

Re: RADIUS attributes on IAP

Can you try doing role based and doing the same logic.  

 

Remove the VLAN assignment rules and switch to assigning a role based on the same attribute.  If you get the expected, attribute here, let us know.  If not, sounds like a RADIUS server issue

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Occasional Contributor II
Posts: 51
Registered: ‎03-13-2014

Re: RADIUS attributes on IAP

Success! That worked. Not sure why the other way is not however.

Aruba
Posts: 1,368
Registered: ‎12-12-2011

Re: RADIUS attributes on IAP

Hmmm - I would open up a case to see if this is as designed or something else.

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Search Airheads
Showing results for 
Search instead for 
Did you mean: