ArubaOS and Controllers

Reply
Regular Contributor I
Posts: 241
Registered: ‎04-03-2007

RADIUS-derived VLAN pool?

Hi all,

Is there a way to create multiple vlan pools and use server-derived rules to place users into one pool or another? I know I can put a user into a derived *single* vlan, but this won't scale to what we want to do.

We currently use vlan pooling with our 802.1x SSID. All authenticated users are placed into a vlan from that pool. We want to start separating faculty, staff and student groups into different networks (vlan pools) so that we can watch traffic flows for one user class and not another (our traffic flow product charges by the bit and we'd like to prune out student traffic and monitor only faculty/staff traffic).

Any other ideas for solutions are appreciated.

Thanks!
Mike
Aruba Employee
Posts: 664
Registered: ‎04-15-2009

Re: RADIUS-derived VLAN pool?

Michael - not 100% sure this will work, but in a recent version of code, Aruba now supports named VLANs. You could possibly create Student and Faculty pools and assign the pool by passing the name back from RADIUS. Page 62 of the 3.4.2 users guide explains how to create the named pools.

Again, I am not 100% sure this will work, but if it does, it will solve your issue I think.
Guru Elite
Posts: 21,281
Registered: ‎03-29-2007

Pools


Hi all,

Is there a way to create multiple vlan pools and use server-derived rules to place users into one pool or another? I know I can put a user into a derived *single* vlan, but this won't scale to what we want to do.

We currently use vlan pooling with our 802.1x SSID. All authenticated users are placed into a vlan from that pool. We want to start separating faculty, staff and student groups into different networks (vlan pools) so that we can watch traffic flows for one user class and not another (our traffic flow product charges by the bit and we'd like to prune out student traffic and monitor only faculty/staff traffic).

Any other ideas for solutions are appreciated.

Thanks!
Mike




Michael,

You cannot write server derivation rules for pools, unfortunately. You might want to write your derivaton rules for your two smaller groups and put them in large VLANs, since we have broadcast control. You will then want your largest group, who do not fall into those categories, into the Virtual AP pool.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 100
Registered: ‎11-07-2008

Re: RADIUS-derived VLAN pool?

Maybe I'm misunderstanding the question, but if you are using radius, you can do this easily. You just filter attributes under the AAA profile to place users based on that attribute in a different vlan. If you are using a NAC that does vlan switching, this can do it too. That is what we do here. All students are separated from faculty/staff vlans.
Regular Contributor I
Posts: 241
Registered: ‎04-03-2007

Re: RADIUS-derived VLAN pool?

gwilliams, I think Colin answered my question (unfortunately!).

Our current vlan pool currently consists of sixteen /24 subnets and growing. faculty/staff/students are all lumped in together, using this same pool.

We want to segregate, or group, user traffic so that we can monitor the network flows of our faculty/staff users only. We are not concerned with running our students through our flow collection box. Because the flow box license charges by bandwidth it is in our interest to drop the unwanted student traffic.

We have thousands of users. Creating just one HUGE subnet for faculty/staff and one HUGE subnet for students does not sound very attractive to us, even with broadcast mitigation knobs in place.

Aside from creating a separate SSID for Faculty/Staff and a separate SSID for Students has anyone else had the need to group classes of users into different networks and came up with a solution?

Thanks!
Mike
Guru Elite
Posts: 21,281
Registered: ‎03-29-2007

Pools

Mike,

My solution is the find the largest group of users (students usually) and let them use the pool. Others, you can put into the large subnets if possible.

So if you are doing checks in the server group for faculty, one for staff, you can put those two separate groups into a larger than usual VLAN. Anybody that you are not checking for, will be subject to the pool. So it will look like this:

Virtual AP Encrypted with VLANs 100-200

Server rules would look for the attribute faculty and put them in faculty role tied to VLAN x
Server rules would look for the attribute staff and put them in staff role tied to VLAN y
Students authenticated, but since they do not match these rules, they get the default 802.1x role, which is student, NOT tied to any VLAN. Students would end up in VLANs 100 to 200 pooled.

Make sense?

If you even had to burn a /23 for the faculty VLAN and a /23 for the staff VLAN, would this work?


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 27
Registered: ‎09-19-2007

Steel Belted RADIUS solution

Not sure if other RADIUS implementation will do this, but SBR allows you to do round-robin attribute assignments. So, as students login, you assign them to a profile that does round-robin assignments. That way, you could return an attribute back to the controller that would evenly distribute the students or faculty to different VLAN's. SBR does it in ".rr" files and profiles.

Patrick
Occasional Contributor I
Posts: 5
Registered: ‎01-20-2010

Maybe

There are several ways to tackle this.

We have 4 campus wide networks here and currently I dont' have the delima you do by having to many people yet, but I still have separate IP networks but same VLAN ID's for each campus.

We just use the same VLAN id on all the different controllers and the router has a different subnet for the same vlan ID and it routes that way. Same campus of course has the same network.

If the network is getting to large one other thing to do is use "location based" vlans meaning building 1 has this vlan and building 2 has this vlan that may be easier for you also. If that is still not small enough then change to floor based vlan's based on location.

--- edited---
Keep in mind the radius server can send back the VLAN attribute you want. So you can in turn setup each type of "windows group" send a different VLAN id back to the controller and the controller will assign the vlans appropriately. I don't know if you use Microsoft Group's for authentication but if you did then you can separate each class of user into different vlans that is what we do here. Network Administrators (Vlan 50), Technicians (Vlan 51), Public Wifi (Vlan 200), Lower Nurse user (Vlan 99), Application User (Vlan 97)

We seprate each class user to ensure we don't mix traffic type.


Cody Adams
Willis-Knighton Health System
MVP
Posts: 501
Registered: ‎04-03-2007

Re: RADIUS-derived VLAN pool?

Michael,

All the mentioned workarounds are possible, but your inquiry and desire seems synonymous of what I see us doing in the future. The solution would be have the user-role specify a vlan-name, which would represent a pool of vlans . . .
. . . unfortunately, with the vlan-naming additions to AOS, this was one component that was left out. I submitted a Feature Request a while ago for the vlan specified in a user-role (or derivation-rule) to be compatible with vlan-pooling. If you don't mind, please contact your SE and ask that your organization, too, but associated to the feature request. Maybe if enough of us ask for it, it'll get added.

*My* solution for you would be to define a named-vlan on your controllers and have them correlate to a single vlan-id (and thus a particular network). The user-role would put users into this named-vlan, and in turn the applicable vlan-id for *that* controller. Mobility can be solved by enabling Mobile-IP and building your Home Agent Tables accordingly.

I'd be happy to talk through this scenario off thread, if you'd like. Go ahead and PM if needed.

(FYI - I would NOT recycle the same vlan-ids across your core while having them associated to different subnets, as you *could* run into spanning-tree issues.)
==========
Ryan Holland, ACDX #1 ACMX #1
The Ohio State University
Guru Elite
Posts: 21,281
Registered: ‎03-29-2007

Limitations

Mdickson,

Your limitations today are ap-groups. Even if you were using a single controller, different groups of access points can route users into different VLANs based on your need. Ap-Group one, which would represent half of your customers can put faculty into role faculty1, which maps to VLAN 1. A different ap-group can represent faculty in a different part of your campus and put them into VLAN2. Please contact your local Aruba systems engineer so that this can get properly designed. The solution to this problem does not require large subnets to function as you need it to.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: