To elaborate on Seth's response. You can use any of the Aruba Standard VSAs (listed below). The process is the same, just the assigned attribute number would differ, depending on what your goal is. Don't forget to setup a corresponding rule on the Server Group side. The following is a modified example from earlier post.
Policy Name - Wireless-IT-Role-Assignment
Type of Network Access Server - Unspecified
Conditions - add whatever you typically add; but make sure you have Windows Group matches IT
Acesss Granted
EAP Type - add whatever authentication types you use
Constraints - NONE
RADIUS Attributes
- Click Vendor Specific; click Add
- Choose Vendor Specific from the Vendor choice; click Add
- Click to add attribute information
- Select Vendor Code = 14823 and Yes it conforms, click Configure Attributes
- Choose 1 as your assigned attribute number (for Aruba-User-Role in the below table)
- Attribute format = string
- Attribute value = authenticated (role name)
- Click OK to close out
On your Server Group that has the NPS servers defined, add a server derived rule that will look for this attribute from NPS and then apply the role. This will set the roleto whatever value is sent by NPS for Aruba-User-Role (or to NPS, Vendor 14823, attribvute 1).
set role condition "Aruba-User-Role" value-of position 1
Here are some of the supported VSAs; there are probably more by now.
VENDOR Code 14823 | | |
Attribute | Attribute Number | Format |
Aruba-User-Role | 1 | string |
Aruba-User-Vlan | 2 | integer |
Aruba-Priv-Admin-User | 3 | integer |
Aruba-Admin-Role | 4 | string |
Aruba-Essid-Name | 5 | string |
Aruba-Location-Id | 6 | string |
Aruba-Port-Id | 7 | string |
Aruba-Template-User | 8 | string |
Aruba-Named-User-Vlan | 9 | string |
Aruba-AP-Group | 10 | string |
Aruba-Framed-IPv6-Address | 11 | string |
Aruba-Device-Type | 12 | string |
Aruba-AP-Name | 13 | string |
Aruba-No-DHCP-Fingerprint | 14 | integer |
Aruba-Mdps-Device-Udid | 15 | string |
Aruba-Mdps-Device-Imei | 16 | string |
Aruba-Mdps-Device-Iccid | 17 | string |
Aruba-Mdps-Max-Devices | 18 | integer |
Aruba-Mdps-Device-Name | 19 | string |
Aruba-Mdps-Device-Product | 20 | string |
Aruba-Mdps-Device-Version | 21 | string |
Aruba-Mdps-Device-Serial | 22 | string |
Aruba-CPPM-Role | 23 | string |
Aruba-AirGroup-User-Name | 24 | string |
Aruba-AirGroup-Shared-User | 25 | string |
Aruba-AirGroup-Shared-Role | 26 | string |
Aruba-AirGroup-Device-Type | 27 | integer |
Aruba-Auth-Survivability | 28 | string |
Aruba-AS-User-Name | 29 | string |
Aruba-AS-Credential-Hash | 30 | string
|