Controllerless Networks

Reply
New Contributor

IAP single SSID different roles based on AD OU membership

Implementing an IAP solution for a school district.  They want 1 SSID presented and clients to connect via 802.1x Active directory credentials. Tricky thing is I need to hand out different roles depending on their OU membership.  Not sure how in an IAP environment how I can attach the Aruba User Role to and OU.  

 

RECAP:  

Jim is a teacher and he connects to the SSID via his AD credentials in the STAFF OU in Active Directory. Jim would then be given the Aruba User role of Staff and given VLAN 20.

 

Susie is a student and she connects to the same SSID as Jim via her AD credentials and she is tied to the STUDENTS OU and she would then be given the Aruba User role of STUDENT and  given VLAN 30.

 

I know how to setup the SSID with Dynamic VLANS and tie that to roles but just not how to tie those roles to an AD OU without using Clearpass 

Guru Elite

Re: IAP single SSID different roles based on AD OU membership

Which RADIUS server are you using?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
New Contributor

Re: IAP single SSID different roles based on AD OU membership

Window RADIUS

Sent from my iPhone
New Contributor

Re: IAP single SSID different roles based on AD OU membership

BUMP - any ideas? 

Guru Elite

Re: IAP single SSID different roles based on AD OU membership

You have two options:

  1. Create the Aruba-User-Role VSA in your NPS server (recommended)
  2. Return a string via IETF Filter-ID and then user server derived rules on the IAP to map the filter-ID to a user role.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
New Contributor

Re: IAP single SSID different roles based on AD OU membership

Example below.   Dynamic VLAN 
If Aruba-User-Role  equals  KMS-STAFF assign VLAN100

 

KMS-STAFF would be the OU in AD. 

 

Aruba User Role.JPG

Re: IAP single SSID different roles based on AD OU membership

Any documentation on how to create the VSA in the NPS Server? 

Highlighted
Guru Elite

Re: IAP single SSID different roles based on AD OU membership

http://community.arubanetworks.com/t5/Controller-Based-WLANs/How-do-i-go-about-in-doing-Vlan-derivation-against-Microsoft/ta-p/184848



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: