01-04-2015 12:02 PM
I get in troubles with my new IAP215 in our new branch office. There is defined an essid "staff" with WPA2-Enterprise security, but RADIUS server is located in our HQ office. Branch is connected with HQ via IPsec tunnel, so IAP215 can reach RADIUS server correctly. There is also essid "staff" in HQ and users are bridged to the VLAN (16,17,18) by the Dynamic VLAN Assignment Rules according to the value of Aruba-User-Vlan AVP in RADIUS server reply.
Situation in branch office is much more simpler. There are no VLANs, just cable modem, MikroTik router, unmanageable switch and IAP215. The essid "staff" is defined in the same way, but VLAN assignment is set to "Default".
Problem is that user in branch office is not bridged to the LAN and not receive and IP address from MikroTik router. My idea is that IAP is trying to use the value of Aruba-User-Vlan AVP but there are no VLANs to assign to.
Does anybody know how to configure essid to ignore Aruba-User-Vlan value received from RADIUS server ? The essid "test" with WPA2-PSK security works OK.
01-04-2015 12:35 PM
01-04-2015 12:42 PM
My suggestion would be to create a separate ruleset for branch offices that simply replies back with an access-accept which will put the user in the default VLAN as configured on the Instant cluster.
You can usually use Connection Source IP or NAS-IP as the filter for the connection request(s).