ArubaOS and Controllers

Reply
Contributor I

Specifying VLAN based on RADIUS property

I don't know if this is even possible, but I'm throwing it out there to see if anyone has any ideas...

I have my corporate network set to use VLAN pooling, utilizing VLANs 110-117, and VLAN pooling is working like a charm.

There are some network admins that connect to the corporate, who usually get a reserved DHCP address. This is so they match ACL rules on internal routers/switches based on a list of allowed IP addresses.

Is there a way for the Aruba to place specific users (on username, say) into a specific VLAN? Essentially I want to override the VLAN pooling for specific users. If I could get my user account to always be put into VLAN111, I can make sure I always receive the same reserved address...

Oh, and the DHCP server is external to Aruba...

Thanks,

JP
Guru Elite

Yes, You can

J.P.

You can:


1. Create a role for those special users that has VLAN111 attached to it on the Aruba Controller.
2. Write a radius remote access policy on the radius server that returns a radius attribute whenever users in that group authenticate.
3. Write a server rule on the Aruba Controller for that server group that will switch a user to that role whenever it sees that attribute.

This method will take precedence over the VLAN pooling, and place those users in VLAN111 every time.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Moderator

Re: Specifying VLAN based on RADIUS property

Role-based VLANs is probably the easiest method, if all of those users can be put into a specific role. If you're already returning some RADIUS attribute to indicate a role, then it's straigtforward to override the default VLAN pool using a VLAN defined in the role.

Another way is directly by returning something from RADIUS to indicate VLAN. You can either send some arbitrary attribute and write a "server derivation rule" on the controller to match it, or there is an Aruba VSA that will automatically indicate VLAN membership to the controller - no rule configuration necessary on the controller. VSA information below, in case you don't already have it.

One thing you can't do (today) is use a RADIUS-derived VLAN pool. You can override the default VLAN pool with one specific VLAN, but you can't override the default VLAN pool with another VLAN pool. It doesn't sound like that's what you're trying to do though.

A final consideration - if you have multiple controllers in the network and are doing role-based VLANs or server derived VLANs, make sure that the VLAN is available at every controller. The new "named VLANs" feature in 3.4 will let you get around this by abstracting the VLAN ID.

Aruba VSA information (available on the support site) - the one in bold is what you could use:

#
# dictionary.aruba
#
# Version: $Id$
#
#

VENDOR Aruba 14823

ATTRIBUTE Aruba-User-Role 1 String Aruba
ATTRIBUTE Aruba-User-Vlan 2 Integer Aruba
ATTRIBUTE Aruba-Priv-Admin-User 3 Integer Aruba
ATTRIBUTE Aruba-Admin-Role 4 String Aruba

# Added in 2.4.1.0 (June 2005)

ATTRIBUTE Aruba-Essid-Name 5 String Aruba
ATTRIBUTE Aruba-Location-Id 6 String Aruba

# Added in 2.5.3.0 (July 2006)

ATTRIBUTE Aruba-Port-Identifier 7 String Aruba
---
Jon Green, ACMX, CISSP
Security Guy
Occasional Contributor II

Aruba-User-Vlan to put users in a certain vlan configured in that Aruba Attribute

Hello,

What I do is:

1. In the RADIUS user's file I have configured somethink like this:

--- user's file:
....
guest User-Password = "testing"
Aruba-User-Vlan = 256

....
DEFAULT Auth-Type := LDAP
Fall-through = yes
...
--- end user's file

And I see in the RADIUS Reply messages the Aruba Attirbute sent.
But it does not working, Aruba does not put me in that Vlan ID.
I have configured the server group but i don't know what's the problem. I have tried to configure in different ways the server rules like:

Aruba-User-Vlan contains 256 set vlan 256
or
Aruba-User-Vlan value-of set vlan

but it does not working again. Of course RADIUS has its Aruba propietary dictionary included.
I don't the steps to get it work successfully.

Somebody can help me please?

thank you very much

albert
Occasional Contributor II

Re: Specifying VLAN based on RADIUS property

Hi Albert,

I am specifying VLAN's for certain users, and I simple use the 'Filter-Id' Radius attribute (it's a standard attirbute so you don't need to add anything specific to your Radius server). This works fine for me:-

Config
aaa server-group "XXXX"
allow-fail-through
auth-server XXX1
auth-server YYY2
set vlan condition Filter-Id equals "938" set-value 938

On the Radius server make sure that the Filter-Id attribute is applied to the group your users are in - or directly to the user.

To check the attribute is coming through, do a packet-capture on the controller:-
from the CLI:-
packet-capture udp 1812

once the capture is running, get the client to attach to the network (or attempt to)

stop the capture :-
packet-capture udp disable

Download the log file including technical support info from the GUI. There will be a file in the log-download.tar called filter.pcap. Look in there at the response from the Radius server, and make sure the attribute is actually being sent (see attachment).
Sorry if you already know how to do the above...

Andrew
Occasional Contributor II

but why not Aruba-User-Vlan Aruba specific VSA?

Hello again

but why not Aruba-User-Vlan Aruba specific VSA? Because if you use the server roules, it should work i think. I mean, just configure one server roule:
Aruba-User-Vlan set value-of

what it does the aruba is to put the users in the VLAN told by RADIUS. RADIUS tells to Aruba controller the VLAN to be the certain users.

Do you know what I mean?

thanks
Occasional Contributor II

Re: Specifying VLAN based on RADIUS property

Hi again,

Agreed using the Aruba attribute should work - however I am dealing with Radius servers outside of our control, hence using a standard variable so that the 3rd party doesn't need to make changes to their Radius server.

When you do a 'show aaa state station #mac address#' what does it tell you?
Occasional Contributor II

invalid mac address

it says invalid mac address.

why diid you asked me to write this command line?

well, have you tried that think I told you to use aruba-user-vlan? at least do you know how to configure to work well?

thanks
Guru Elite

User Guide


it says invalid mac address.

why diid you asked me to write this command line?

well, have you tried that think I told you to use aruba-user-vlan? at least do you know how to configure to work well?

thanks




What radius server are you using? If it is Microsoft IAS, in the ArubaOS 3.4 user guide, there is a section on configuring Microsoft IAS, and subsection on configuring radius attributes. If it is another radius server manufacturer, contact their company to find out how to pass radius attributes.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II

I use freeradius

Hello,

I use freeradius. It should work with the configuration I shown above.
Its correct the configuratioin? Can I use the Aruba VSA Aruba-User-Vlan to assign the users to the VLAN specified by this aruba VSA?

thanks!
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: