Hi,
On a remote site of our university, I'm trying to deploy a remote AP with the same SSIDs as we have on our central site.
One SSID is based on captive portal authentication. Students or staff connecting to this SSID get a simple web access.
The forward mode is tunnel, and the operation mode is standard.
The second SSID is based on 802.1X authentication, with roles derivation rules set up on the Server Group Profile.
The rules fixes the user role according to the value of an attribute sent by a radius server during authentication:
- if the attribute equals to "student", the role for the user is set to student-role.
- if the attribute equals to "staff", the role is set to staff-role.
In this case, the user gets more or less privileges according to his status (staff or student).
For each role, a different role VLAN ID is set, so that the user is placed in the proper VLAN to get his IP address.
- staff-role, vlan ID = 8,
- student-role, vlan ID = 10.
The forward mode setting for this VAP is bridge mode, and its operation mode is persistent. In case of a failure with our main controller, the connected users can still work on their local IT resources.
Both VLAN IDs 8 and 10 are set in the VAP Vlans.
The corresponding AP system profile for the RAP has the native vlan set to 4, which is the vlan on the remote site where all network equipments are placed in.
The port of the switch on which The RAP is plugged is configured as a trunk for vlan 8 and 10, with native vlan set to 4.
When a user from the staff tries to connect to this SSID, he gets the correct role for the derivation rules: staff-role.
However, the IP address the user gets is from the student vlan, which I don't understand why.
I've checked the configuration, and I don't see any reference of vlan 10 linked to staff-role.
Any idea?
The Aruba OS is 5.0.4.13.
Thanks for your help.
Sylvain