This articles applies to Aruba Mobility Controllers running ArubaOS version 6.3.0.0 or higher.
It is a common practice to categorize users/clients into different vlans based on their roles and the departments that they belong to. In a wired infrastructure, there is not much to look as the users physical connect to an assigned switchport. Whereas in case of wireless, users move from one AP to another getting associated and it is important to make them fall in appropriate vlan based on their identification.
A client is assigned to a VLAN by one of several methods. Each specific method of vlan derivation is given a precedence and based on it VLANs are assigned to users. The assignment of VLANs are from lowest to highest precedence. Controller stores all the vlans derived during association of a client and the vlan derived from highest precedence derivation is finally assigned.
After client associates, controller stores the default incoming vlan from the virtual-ap (VAP) profile. Vlan can be derived before and after authentication. Before client authentication, the VLAN can be derived from rules based on client attributes (such as: SSID, BSSID, client MAC, location, and encryption type). After client authentication, the VLAN can be the one configured for a default role for an authentication method, such as Mac auth, 802.1x or VPN. It
can also be derived from attributes returned by the authentication server.
Below figure gives a overview of precedence of vlan assignment:
Point to be noted:
- VSA (Vendor Specific Attributes) takes precedence over SDR (Server Derivation Rule), MBA (MAC Based Authentication) or 802.1X default role based vlan and UDR’s except for dhcp-option based UDR.
- Controller will worry about Machine auth only if “Machine-Authentication” is enabled under dot1x profile.
- Role Based VLANs from the intermediate Machine Roles “Machine Authentication: Default Machine Role” and “User Authentication: Default User Role” will not be honored. The only state where derivation of any type is honored for the client is when it passes both Machine-auth && user-dot1x auth.
- Dhcp-option based UDR has the highest priority and cannot be overridden by further L2 authentication, unless RADIUS server sends “Aruba-No-DHCP-Fingerprint” VSA attribute during L2 auth
- VLAN derivation is not supported for L3-authentication.
- VLAN derivation is not supported for Split-Tunnel and Bridge forward mode of Remote-AP (RAP)
"show aaa debug vlan user <mac-address/IP>"CLI command lists out the vlans dervied for a client connecting to an SSID.
