Security

Reply
Occasional Contributor II
Posts: 16
Registered: ‎09-14-2011

Radius assigned VLAN on AP-93H wired ports

Wondering if this is even possible.  I have radius assign the user to a vlan based on username for our WLAN profile. 

 

I'm looking to do something similar with the wired ports that are user accessible on the AP-93H by having the controller pass the MAC address of the computer plugged into the port to the radius server for MAC based authentication and VLAN assignement.

 

I have MAC based authentication in use on all of our Procurve switches using RFC 3580 so I'm looking to do something similar in order to keep our current network registration system working as it is.

Guru Elite
Posts: 20,351
Registered: ‎03-29-2007

Re: Radius assigned VLAN on AP-93H wired ports

You can do this with a Server Derivation Rule in the Server Group that is authenticating that wired VLAN:  The rule looks for the username Robert and sets the client to VLAN 10, as a result.

 

I hope this helps.

 

userrule.png



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 16
Registered: ‎09-14-2011

Re: Radius assigned VLAN on AP-93H wired ports

That is essentially what I have and my radius server shows that its getting authentication attempts now.  Does it matter what settings I have on this screen?  I'm mostly wondering if it needs to be access mode or trunk mode? Tunnel or Bridge?  or does that matter.

 

Guru Elite
Posts: 20,351
Registered: ‎03-29-2007

Re: Radius assigned VLAN on AP-93H wired ports

Where are those VLANs located?  Are they trunked to your controller?...if Yes, it should be tunneled...

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 16
Registered: ‎09-14-2011

Re: Radius assigned VLAN on AP-93H wired ports

The vlans are trunked at the controller as well as at the access point.  I don't tunnel the wireless traffic it all gets bridged.

Guru Elite
Posts: 20,351
Registered: ‎03-29-2007

Re: Radius assigned VLAN on AP-93H wired ports

Quite frankly, you should do one or the other.  The controller side is much easier.  If that is the case, the forwarding mode must be tunneled.  If you want to put it out the AP's ethernet, it should be bridged.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 16
Registered: ‎09-14-2011

Re: Radius assigned VLAN on AP-93H wired ports

Figured it out.

Under the Wired AP Profile -

  • The forward mode must be set to Tunnel
  • The switchport mode set to access
  • In the event that the radius server doesn't recognize the mac address I set the default access mode vlan to our registration vlan

 

Under the Mac Authentication Server Group - only the server needs to be specified as the radius server is returning Tunnel-Private-Group-Id already and that overides any server rules you may have set it appears.

 

 

New issue:  The controller is caching the MAC auth it looks like so after a user registers their computer with our network access system and reboots or unplugs their network cable and plugs back in the Aruba controller doesn't re-authenticate the computer.

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: