Controllerless Networks

Hi! I'm new to this forum and fairly new to Aruba.

 

I'm attempting to configure dynamic VLAN assignment on our primary SSID. When I configure VLAN assignment rules I am only allowed to configure 7 (not including the default rule). I need 15, because company wide we have 15 VLANs a user could potentially connect on. The CLI tells me I can't configure anymore rules. Is this a limitation of the software or am I configuring my rules incorrectly? So, far what I have works, I am just short on the VLANs I can configure. I've attached a screenshot of my configuration. Any thoughts, recommendations, criticisms, or even face punches are welcome.

Currently there is a limit of 8. What are you using for your RADIUS server? There may be other options.

We are using FreeRADIUS with LDAP389 (I believe) We are an all Linux shop. We will be using ClearPass within the year hopefully (just on proof of concept now). Is there anyway to consolidate the rules? I'm curious as to why there isn't a way to configure a rule that says "based on the VLAN ID received, assign that VLAN", instead of "If VLAN ID is A assign VLAN A" and repeat 15 times. Manually configuring every possible VLAN seems to be a small oversight in the design of this feature. And the fact that other larger organizations out there don't have more than 8 VLANs that need dynamically assigned baffles me. I feel like I am overlooking something.

evadlegne,

 

You can return the VLAN number in the Attribute "Aruba-User-Vlan" on the freeradius side and you won't have to write 15 rules...

What would the string and VLAN configurations look like on the AP side? I wouldn't be able to specifiy a VLAN number like I'm currently doing.

The "Aruba-User-VLAN" is a Vendor Specific Attribute that automatically overrides any VLAN when it is returned to an Aruba controller during authentication via radius.  No configuration is required on the AP side.  Make sure that the Aruba Vendor Specific Attributes are loaded in freeradius.  Aruba-User-VLAN is attribute 2, is an integer, and Aruba's vendor ID 14823.

Ahhh, that's good to know. Thanks for the information. What about if we decide to use ClearPass? We may just start using ClearPass sooner. ClearPass is pulling VLAN attributes from LDAP. Which attribute would we configure on the AP using ClearPass this way?

I cannot get this to work in 6.4.1. I confirmed that the vlan id is being sent back to the controller from my NPS server, but the client never gets put in the VLAN defined in the attribute; only in the vlan defined in the virtual ap profile. Is there something that needs to be done at the vap level or somewhere else to get the controller to accept the dynamic vlan?

Are you using Aruba-User-VLAN or Fitler-ID in NPS?

The Aruba-User-VLAN attribute. Just to note, the dictionary file for this attribute specifies "integer," but NPS doesn't have integer. The closest choice is decimal or string.

I can't get this to work with the Aruba-User-VLAN or by using server derivation rules. Is there something that needs to be done in the vap or ssid profile to get it to accept dyname vlan from radius?

What RADIUS server are you using and parameter are you sending back to the system? Is this Instant or controller base solution?

I'm using Microsoft NPS. It's a controller based solution (7210) that I am using for an evaluation. I've tried sending back the Aruba VLAN VSA, and tried using Filter-ID with server derivation rules. Nothing is working.

 

I also tried tried making the VLAN id undefined in the virtual AP profile, hoping that the returned VLAN id would steer the client toward the desired vlan,  but that broke everything.

#7210

Have you confirmed that the filter-id is being passed back to the controller? You may need to enable debugging ot trace the auth session to see what attributes are being returned. Sounds like the attributes are not being returned if you have your derivation rules setup correctly.

 

-Mike

Confirmed via packet capture at the NPS server that attributes are being returned in the radius access-accept message. How would I enable the debugging?

logging level debugging security process authmgr 
logging level debugging security subcat aaa

 

Those 2 (don't ask me why you need both, I don't know either) will show you what is received from the radius server.

On my controller (6.3.1.9) however there seems to be an issue where the Aruba-User-Vlan value is not being shown, even with this debug:

Jul 25 11:38:48 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:1276]  Aruba-User-Role: correct-role 
Jul 25 11:38:48 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:1276]  Aruba-User-Vlan:  

 

And here's another debug command that shows you the 'history' your client went through to get the resulting vlan.

show aaa debug vlan user ip <ip> 

 

The following should also give you some info on what vlan and why that vlan. Look for 2 different lines with vlan info.

show user ip <ip>

 

 

Also, in 6.3 (unsure of earlier versions) vlan derivation is not supported on remote-ap's with split-tunnel or bridge forward modes.

MWLosRios,

 

As koenv pointed out, run those commands and look at the logs to see what's going on. Also, if you don't mind, can you post your derivation rules configuration? CLI output is good. One thing I've seen is that if you match based on "equals" it does not work. Need to do "contains" and then it works. I haven't done this in a while so not sure if this was resolved in 6.3. If I have sometime later I'll mock something up in my lab.

 

-Mike

Hello all,

With my SE, we opened a case with TAC. This was a configuration issue. In the 802.1x profile used by the AAA profile, "enforce machine authentication" was enabled. As TAC explained, when machine authentication is enabled, a supplicant has to pass both machine and user authentication phases in order to apply VLAN or role attributes passed by radius. Machine auth was always failing transparently, but user auth was succeeding.

 

I disabled "enforce machine authentication" in the 802.1x profile, and the radius attributes started to work.

 

Thank you for all your feedback.

Glad you were able to figure it out. 

 

For reference, take a look at the 6.3 User Guide on page 241-242. It has a matrix of Machine Auth/User Auth Status and which role gets assigned based on failed/passed for the two types of auth.

 

-Mike

If you use Clear pass, the Aruba radius attributes are loaded, and the logic to populate the attribute will reside on Clear pass.