Controllerless Networks

Implementing an IAP solution for a school district.  They want 1 SSID presented and clients to connect via 802.1x Active directory credentials. Tricky thing is I need to hand out different roles depending on their OU membership.  Not sure how in an IAP environment how I can attach the Aruba User Role to and OU.  

RECAP:  

Jim is a teacher and he connects to the SSID via his AD credentials in the STAFF OU in Active Directory. Jim would then be given the Aruba User role of Staff and given VLAN 20.

Susie is a student and she connects to the same SSID as Jim via her AD credentials and she is tied to the STUDENTS OU and she would then be given the Aruba User role of STUDENT and  given VLAN 30.

I know how to setup the SSID with Dynamic VLANS and tie that to roles but just not how to tie those roles to an AD OU without using Clearpass 

Which RADIUS server are you using?

BUMP - any ideas? 

You have two options:

1. Create the Aruba-User-Role VSA in your NPS server (recommended)
2. Return a string via IETF Filter-ID and then user server derived rules on the IAP to map the filter-ID to a user role.

Example below.   Dynamic VLAN 
If Aruba-User-Role  equals  KMS-STAFF assign VLAN100

KMS-STAFF would be the OU in AD. 

Any documentation on how to create the VSA in the NPS Server? 

http://community.arubanetworks.com/t5/Controller-Based-WLANs/How-do-i-go-about-in-doing-Vlan-derivation-against-Microsoft/ta-p/184848