Security

Reply
Occasional Contributor II

802.1x authentication FreeRadius

 

Hi All,

 

Does anyone encountered this kind of set-up the client is using FreeRadius for authentication.  The scenario is they're using only 1 SSID.  Each department has their own subnet(vlan).nd user credentials defined.  so if they access the wireles based on their credential they will be given the specific ip address defined to their department. Need your help on how Im gonna implement this Im using a 620 controller ver. 6.1.2.3

 

 

Aruba Employee

Re: 802.1x authentication FreeRadius

In the FreeRADIUS server, you will need to pass back the VLAN as a reply attribute.  Once you do that, configure a server rule (under the server group section of the GUI) that says "Condition -> <your reply attribute>, operand -> value-of, set vlan".  What that means is that the controller will interpret the reply attribute as the VLAN to set for the authenticated user.  The rest of the configuration is a standard WPA2/AES setup.

Occasional Contributor II

Re: 802.1x authentication FreeRadius

 

Hi Olino,

 

  Thanks for your reply.  I attached the client configuration in a FreeRadius I'm not familiar on this and still  searching and trying to understand. If you could able to view the file and provide a snapshot in the configuration of the controller based on that it would be agreat help me. if this is okay for you? thanks for the concept I appreciated it.

 

regards,

comingblow

Aruba Employee

Re: 802.1x authentication FreeRadius

Your RADIUS config file passes back Tunnel-Private-Group-ID with the VLAN.  Click on Authentication > Server Group > <server group assigned to the WPA2/AES SSID you are using>.  Under the Server Rules section, click Add, then select Tunnel-Private-Group-ID from the Attribute drop down box, value-of from the Operation drop down and Set VLAN from the Action drop down.  Then, click Add.  Make sure the rule looks right to you and then click Apply at the bottom of the page (if you don't do this, it won't be saved).

 

 

Moderator

Re: 802.1x authentication FreeRadius

As an alternative, ArubaOS supports a Vendor Specific Attribute (VSA) known as Aruba-User-VLAN which I understand to be processed automatically by the controller for VLAN derivation and wont require the configuration of server derivation rules.

 

Aruba vendor id assigned for VSA is 14823 and the Aruba-User-VLAN is attribute 2 in their dictionary.

Occasional Contributor II

Re: 802.1x authentication FreeRadius

 

 

hi olino,

 

   Thnks for the help.  Kindly check what are the necessary configurations needed for this to work.  Im not sure with the other value of the parameter . Where do I configure to pass the different VLAN hope you can able to provide snapshot for easy guide.  Thanks you very much..  sorry cause im not familiar withe radius im not able to view the config file.

 

Regards,

marlon

 

 

Occasional Contributor II

Re: 802.1x authentication FreeRadius

 
Aruba Employee

Re: 802.1x authentication FreeRadius

You set the VLAN in the role configuration on the controller. A specific VLAN can be defined for each role.

Configuration > Security > Access Control > User Roles
Thanks,

Zach Jennings
Aruba Employee

Re: 802.1x authentication FreeRadius

In the Authentication section of the GUI, click on Server Groups.  You should have one called Aruba_FreeRADIUS.  Add a rule to it that says "Tunnel-Private-Group-ID value-of set-vlan". Dont put anything in the value (in the second JPG you added "2" in the value field).  "value-of" means to take th value passed by the authentication server in Tunnel-Private-Group-ID and use it for the VLAN.   Make sure you create all of the VLANs that may be passed back by your FreeRADIUS server.

Occasional Contributor II

Re: 802.1x authentication FreeRadius

 

Hi,

 

First example im going to connect port 7 to the core switch as a trunk port native is vlan100 to pass vlan 226 and 227.

is this what you mean?

thanks for the help.

 

regards,

marlon

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: