12-02-2011 11:31 PM
Does anyone encountered this kind of set-up the client is using FreeRadius for authentication. The scenario is they're using only 1 SSID. Each department has their own subnet(vlan).nd user credentials defined. so if they access the wireles based on their credential they will be given the specific ip address defined to their department. Need your help on how Im gonna implement this Im using a 620 controller ver. 188.8.131.52
12-03-2011 06:08 AM
In the FreeRADIUS server, you will need to pass back the VLAN as a reply attribute. Once you do that, configure a server rule (under the server group section of the GUI) that says "Condition -> <your reply attribute>, operand -> value-of, set vlan". What that means is that the controller will interpret the reply attribute as the VLAN to set for the authenticated user. The rest of the configuration is a standard WPA2/AES setup.
12-03-2011 08:58 AM
Thanks for your reply. I attached the client configuration in a FreeRadius I'm not familiar on this and still searching and trying to understand. If you could able to view the file and provide a snapshot in the configuration of the controller based on that it would be agreat help me. if this is okay for you? thanks for the concept I appreciated it.
12-03-2011 10:18 AM
Your RADIUS config file passes back Tunnel-Private-Group-ID with the VLAN. Click on Authentication > Server Group > <server group assigned to the WPA2/AES SSID you are using>. Under the Server Rules section, click Add, then select Tunnel-Private-Group-ID from the Attribute drop down box, value-of from the Operation drop down and Set VLAN from the Action drop down. Then, click Add. Make sure the rule looks right to you and then click Apply at the bottom of the page (if you don't do this, it won't be saved).
12-03-2011 10:49 AM
As an alternative, ArubaOS supports a Vendor Specific Attribute (VSA) known as Aruba-User-VLAN which I understand to be processed automatically by the controller for VLAN derivation and wont require the configuration of server derivation rules.
Aruba vendor id assigned for VSA is 14823 and the Aruba-User-VLAN is attribute 2 in their dictionary.
12-04-2011 01:00 AM
Thnks for the help. Kindly check what are the necessary configurations needed for this to work. Im not sure with the other value of the parameter . Where do I configure to pass the different VLAN hope you can able to provide snapshot for easy guide. Thanks you very much.. sorry cause im not familiar withe radius im not able to view the config file.
12-04-2011 04:31 AM
Configuration > Security > Access Control > User Roles
12-04-2011 06:45 AM
In the Authentication section of the GUI, click on Server Groups. You should have one called Aruba_FreeRADIUS. Add a rule to it that says "Tunnel-Private-Group-ID value-of set-vlan". Dont put anything in the value (in the second JPG you added "2" in the value field). "value-of" means to take th value passed by the authentication server in Tunnel-Private-Group-ID and use it for the VLAN. Make sure you create all of the VLANs that may be passed back by your FreeRADIUS server.
12-04-2011 09:28 AM