Controllerless Networks

Hello,

I am trying to set up multiple VLANs on an SSID and assign them based on some attributes from LDAP, provided by the RADIUS server. I mapped an LDAP attribute businessCategory to User-Category in freeradius. I saw there was a way to show what attributes RADIUS was providing by running some console commands. I am not sure if these work on the IAP as well though?

Long story short, it isn't working and I need to figure out why :)

First step was to check and make sure the attribute was being provided to the IAPs.

Thanks.

I did some troubleshooting on freeradius and found it is serving the attribute, but not sure if it is making it to the IAPs.

radiusd[83078]: Login OK: [robert/<via Auth-Type = EAP>] (from client mustang port 0 cli 00:23:14:36:68:6C) sysadmin

Note sysadmin at the end is the value of the attribute for robert (me).

not sure about the IAP, but you could see if you cant capture the network traffic before the IAP.

Will that work if I am using EAP-TTLS?

so far i have always been able to see radius packets and there content.

What is this attribute that you are sending back?  Aruba-User-Role?  filterid?  Something else?  Is the role based access in the SSID set up to apply the role based on these attributes?

The attribute is User-Category. I set up the SSID with the different VLANs, the role is currently unrestricted since we have separate VLANs and a firewall between the VLANs.

Can you try doing role based and doing the same logic.  

Remove the VLAN assignment rules and switch to assigning a role based on the same attribute.  If you get the expected, attribute here, let us know.  If not, sounds like a RADIUS server issue

Success! That worked. Not sure why the other way is not however.

Hmmm - I would open up a case to see if this is as designed or something else.

OK! Thanks for the help!