Controller Based WLANs

Which of the derived vlans take priority, if UDR, MAC auth and Dot1x is configured in a AAA profile?

by on ‎07-01-2014 04:23 AM

This articles applies to Aruba Mobility Controllers running Aruba OS version 6.3.0.0 or higher.

 

A client is assigned to a VLAN by one of several methods. There is an order of precedence by which VLANs are assigned. The assignment of VLANs are (from lowest to highest precedence).  Controller stores all the vlans derived during association of a client and then the one that is derived using the highest precedence derivation, is considered as client vlan.

Below figure shows the overview of priority for the vlan assignment:

 

 

rtaImage.jpeg

 

Note: VLAN from DHCP options has highest priority for VLAN derivation. But DHCP options are not considered for derivation if ARUBA_NO_DHCP_FINGERPRINT (14)  Aruba VSA (Vendor Specific Attribute) was sent for the user by authentication server.

"show aaa debug vlan user <mac-address/IP>" command displays the controller point of view, of vlans dervied for a client connecting to an SSID.

Below figure shows the output of this command:

 

rtaImage 1.jpeg

 

Points to note:

  • VLAN derivation is not supported for L3-authentication
  • VLAN derivation is not supported for Split-Tunnel and Bridge forward mode of Remote-AP (RAP)

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.