Controllerless Networks

I see on the Instant that the config for the controller-assigned vlan, or magic vlan is 3333.  If I have a vlan-derivation rule that specifies vlan 3333 currently it says that is reserved.

This could be handy to quarantine certain clients depending on the attribute received and to just dump them into the controller-assigned vlan with appropriate restricted role.

I have just raised a feature request, but was wondering what others thought of that?  Would it be useful, or would you use it that way?

In principal this sounds like a pretty good idea.

I do wonder how easy the developers would find it to implement though due to software?

Just to throw an idea out though an extention to the idea, what might be handy (if it didn't do it by default), would be the capability for the IAP to accept the returned role of "Internal CP". This would potentially have the net-effect of presenting a captive portal?

You can assign a captive portal profile to a role in the Instants now.

In my case above, the portal says 'Your device is not permitted to use this network etc'.

Ahhh, good work. I never got around to testing this yet. Might try it some day.

In which case, if your RADIUS server returned two variables (when possible) of the role and vlan, that would be handy?

You can also assign the role based on attributes like this,

And then in the role you can force it to a particular vlan.

If you send back the attribute Aruba-User-Vlan it seems it won't automatically be in the vlan, but you could do it like this as well.

But alas, in each case you can't specify the vlan to be 3333.

I've tested all the above and works well.  The Instants are certainly coming along, compared to when they were first released.

Hope that helps.