Aruba Instant & Cloud Wi-Fi

Reply
New Contributor
Posts: 4
Registered: ‎03-17-2014

VLAN Derivation/Assignment Rules

Hi! I'm new to this forum and fairly new to Aruba.

 

I'm attempting to configure dynamic VLAN assignment on our primary SSID. When I configure VLAN assignment rules I am only allowed to configure 7 (not including the default rule). I need 15, because company wide we have 15 VLANs a user could potentially connect on. The CLI tells me I can't configure anymore rules. Is this a limitation of the software or am I configuring my rules incorrectly? So, far what I have works, I am just short on the VLANs I can configure. I've attached a screenshot of my configuration. Any thoughts, recommendations, criticisms, or even face punches are welcome.

Guru Elite
Posts: 7,847
Registered: ‎09-08-2010

Re: VLAN Derivation/Assignment Rules

Currently there is a limit of 8. What are you using for your RADIUS server? There may be other options.


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
New Contributor
Posts: 4
Registered: ‎03-17-2014

Re: VLAN Derivation/Assignment Rules

We are using FreeRADIUS with LDAP389 (I believe) We are an all Linux shop. We will be using ClearPass within the year hopefully (just on proof of concept now). Is there anyway to consolidate the rules? I'm curious as to why there isn't a way to configure a rule that says "based on the VLAN ID received, assign that VLAN", instead of "If VLAN ID is A assign VLAN A" and repeat 15 times. Manually configuring every possible VLAN seems to be a small oversight in the design of this feature. And the fact that other larger organizations out there don't have more than 8 VLANs that need dynamically assigned baffles me. I feel like I am overlooking something.

Guru Elite
Posts: 19,982
Registered: ‎03-29-2007

Re: VLAN Derivation/Assignment Rules

evadlegne,

 

You can return the VLAN number in the Attribute "Aruba-User-Vlan" on the freeradius side and you won't have to write 15 rules...

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
New Contributor
Posts: 4
Registered: ‎03-17-2014

Re: VLAN Derivation/Assignment Rules

What would the string and VLAN configurations look like on the AP side? I wouldn't be able to specifiy a VLAN number like I'm currently doing.

Guru Elite
Posts: 19,982
Registered: ‎03-29-2007

Re: VLAN Derivation/Assignment Rules

[ Edited ]

The "Aruba-User-VLAN" is a Vendor Specific Attribute that automatically overrides any VLAN when it is returned to an Aruba controller during authentication via radius.  No configuration is required on the AP side.  Make sure that the Aruba Vendor Specific Attributes are loaded in freeradius.  Aruba-User-VLAN is attribute 2, is an integer, and Aruba's vendor ID 14823.

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
New Contributor
Posts: 4
Registered: ‎03-17-2014

Re: VLAN Derivation/Assignment Rules

Ahhh, that's good to know. Thanks for the information. What about if we decide to use ClearPass? We may just start using ClearPass sooner. ClearPass is pulling VLAN attributes from LDAP. Which attribute would we configure on the AP using ClearPass this way?

Guru Elite
Posts: 19,982
Registered: ‎03-29-2007

Re: VLAN Derivation/Assignment Rules

If you use Clear pass, the Aruba radius attributes are loaded, and the logic to populate the attribute will reside on Clear pass.
Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Occasional Contributor I
Posts: 7
Registered: ‎07-23-2014

Re: VLAN Derivation/Assignment Rules

I cannot get this to work in 6.4.1. I confirmed that the vlan id is being sent back to the controller from my NPS server, but the client never gets put in the VLAN defined in the attribute; only in the vlan defined in the virtual ap profile. Is there something that needs to be done at the vap level or somewhere else to get the controller to accept the dynamic vlan?

Guru Elite
Posts: 7,847
Registered: ‎09-08-2010

Re: VLAN Derivation/Assignment Rules

Are you using Aruba-User-VLAN or Fitler-ID in NPS?


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Search Airheads
Showing results for 
Search instead for 
Did you mean: