Security

 

Hi All,

 

Does anyone encountered this kind of set-up the client is using FreeRadius for authentication.  The scenario is they're using only 1 SSID.  Each department has their own subnet(vlan).nd user credentials defined.  so if they access the wireles based on their credential they will be given the specific ip address defined to their department. Need your help on how Im gonna implement this Im using a 620 controller ver. 6.1.2.3

 

 

In the FreeRADIUS server, you will need to pass back the VLAN as a reply attribute.  Once you do that, configure a server rule (under the server group section of the GUI) that says "Condition -> <your reply attribute>, operand -> value-of, set vlan".  What that means is that the controller will interpret the reply attribute as the VLAN to set for the authenticated user.  The rest of the configuration is a standard WPA2/AES setup.

 

Hi Olino,

 

  Thanks for your reply.  I attached the client configuration in a FreeRadius I'm not familiar on this and still  searching and trying to understand. If you could able to view the file and provide a snapshot in the configuration of the controller based on that it would be agreat help me. if this is okay for you? thanks for the concept I appreciated it.

 

regards,

comingblow

As an alternative, ArubaOS supports a Vendor Specific Attribute (VSA) known as Aruba-User-VLAN which I understand to be processed automatically by the controller for VLAN derivation and wont require the configuration of server derivation rules.

 

Aruba vendor id assigned for VSA is 14823 and the Aruba-User-VLAN is attribute 2 in their dictionary.

Hi cam,

 

How can i open this file or how does it work the aruba dictionary(I downloaded it in the support site.). Will this be configure/copy in the free radius server.

Thanks!

 

regards,

marlon

Please save the Aruba dictionary downloaded from support site to a file (say dictionary.aruba) and

include it in FreeRadius dictionary file. To include the Aruba dictionary, add following line in dictionary file:

 

$INCLUDE dictionary.aruba

 

 

 

 

Your RADIUS config file passes back Tunnel-Private-Group-ID with the VLAN.  Click on Authentication > Server Group > <server group assigned to the WPA2/AES SSID you are using>.  Under the Server Rules section, click Add, then select Tunnel-Private-Group-ID from the Attribute drop down box, value-of from the Operation drop down and Set VLAN from the Action drop down.  Then, click Add.  Make sure the rule looks right to you and then click Apply at the bottom of the page (if you don't do this, it won't be saved).

 

 

 

 

hi olino,

 

   Thnks for the help.  Kindly check what are the necessary configurations needed for this to work.  Im not sure with the other value of the parameter . Where do I configure to pass the different VLAN hope you can able to provide snapshot for easy guide.  Thanks you very much..  sorry cause im not familiar withe radius im not able to view the config file.

 

Regards,

marlon

 

 

You set the VLAN in the role configuration on the controller. A specific VLAN can be defined for each role.

Configuration > Security > Access Control > User Roles

In the Authentication section of the GUI, click on Server Groups.  You should have one called Aruba_FreeRADIUS.  Add a rule to it that says "Tunnel-Private-Group-ID value-of set-vlan". Dont put anything in the value (in the second JPG you added "2" in the value field).  "value-of" means to take th value passed by the authentication server in Tunnel-Private-Group-ID and use it for the VLAN.   Make sure you create all of the VLANs that may be passed back by your FreeRADIUS server.

 

Hi,

 

First example im going to connect port 7 to the core switch as a trunk port native is vlan100 to pass vlan 226 and 227.

is this what you mean?

thanks for the help.

 

regards,

marlon