ArubaOS and Controllers

Reply
Occasional Contributor I
Posts: 11
Registered: ‎03-05-2008

incorrect VLAN assigned for user role

On our controllers running 3.4.5.0 and was seen in 3.4.4.0 an interesting problem. We are seeing users assigned to VLANS that not correct for the role defined. We use Bradford Campus Manager as our NAC and we have debugged that to prove we are getting the correct Role back from the authentication. The role is then assigned by Aruba controller and in some cases the role ends up with a VLAN other than what is defined in the user role. Now this is not happening for all users in this same role.

Here is an example
user role ABC... VLAN assigned is 987

Next request is from Client 1 (Device A)

Device A is returned ABC from Bradford and placed in the user role ABC and is also put on VLAN 987 .. .no problem client works.

Next request is from Client 2 (Device B)

Device B is returned ABC from Bradford and placed in the user role ABC and this time it is put on one of the possible VLANS... 910 (Mapped to Logon Role), 121 (Default Dead End VLAN for Virtual AP Profile) or 710 (Our Registration Vlan)

So far we have not been able to explain why this happens or why it is not doing so for all users. Under what conditions could a VLAN be assigned differently than the user role that is mapped to?

Thanks any help would be greatly appreciated.

We already have a ticket open with TAC on this but so for not making much headway.
Guru Elite
Posts: 20,591
Registered: ‎03-29-2007

Re: incorrect VLAN assigned for user role


On our controllers running 3.4.5.0 and was seen in 3.4.4.0 an interesting problem. We are seeing users assigned to VLANS that not correct for the role defined. We use Bradford Campus Manager as our NAC and we have debugged that to prove we are getting the correct Role back from the authentication. The role is then assigned by Aruba controller and in some cases the role ends up with a VLAN other than what is defined in the user role. Now this is not happening for all users in this same role.

Here is an example
user role ABC... VLAN assigned is 987

Next request is from Client 1 (Device A)

Device A is returned ABC from Bradford and placed in the user role ABC and is also put on VLAN 987 .. .no problem client works.

Next request is from Client 2 (Device B)

Device B is returned ABC from Bradford and placed in the user role ABC and this time it is put on one of the possible VLANS... 910 (Mapped to Logon Role), 121 (Default Dead End VLAN for Virtual AP Profile) or 710 (Our Registration Vlan)

So far we have not been able to explain why this happens or why it is not doing so for all users. Under what conditions could a VLAN be assigned differently than the user role that is mapped to?

Thanks any help would be greatly appreciated.

We already have a ticket open with TAC on this but so for not making much headway.




Bradford either send the role or the VLAN that the user needs to be in via the VSA. If Bradford is sending the role only, the VLAN would be determined by if the role has a VLAN hardcoded to the role, OR the Virtual AP that the client is connecting to. If you have a VLAN pool and the role is being sent by Bradford, the VLAN is determined by the pool algorithm. If the role has a VLAN hardcoded to it on the Aruba controller, that will override whatever pool is configured. That is how it is supposed to work.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

rla
Occasional Contributor I
Posts: 9
Registered: ‎04-29-2010

Re: incorrect VLAN assigned for user role

Do you have all your possible VLANs configured in your Virtual AP Profile? We had a similar situation recently and discovered that clients would be assigned randomly to any one of the VLANs listed in the VAP profile prior to authentication. If they managed to get an IP address from a DHCP server in that VLAN before authentication, they would somehow be stuck with that VLAN. Subsequent assignment of a VLAN based on the authentication role would not work. To fix this, we put a single VLAN in the VAP profile that did not have a DHCP server in it - clients would not be able to obtain an IP until after the authentication and Role/VLAN assignment was complete.
Search Airheads
Showing results for 
Search instead for 
Did you mean: