Security

Reply
Contributor I

assign user to vlan according to their organization unit in active directory

i created a few organization unit and i wish user who had connected to the network will be assign to their respective vlan according to their organization unit in active directory. 

Aruba Employee

Re: assign user to vlan according to their organization unit in active directory

Is it for a L2 auth or L3 auth like Captive portal ?

 

If it is a L2 auth like .1x, you can use the server derivation rules to manipulate the roles and vlan. 

Vinod Kumaar AVM ACMX, ACDX
Principal Network Engineer
Customer Advocacy | Aruba Networks Inc.

Did something you read in the Community solve a problem for you? If so, click "Accept as Solution" in the bottom right hand corner of the post.
Aruba Employee

Re: assign user to vlan according to their organization unit in active directory

You are probably going to have to setup RADIUS via Microsoft IAS, assuming you are just using LDAP. Also, you wont be able to do this if you are just using an open SSID with captive portal.

 

How is your SSID set up?

Thanks,

Zach Jennings
Contributor I

Re: assign user to vlan according to their organization unit in active directory

Thanks for the reply. I am using .1x authentication and using RADIUS via Microsoft IAS. Do you mean assigning the correct server rules will be archive so? Screen Shot 2012-02-24 at 7.25.58 AM.png

Aruba Employee

Re: assign user to vlan according to their organization unit in active directory

There are two parts to this:

First you must create the policies on IAS.  It should read something like: if users belong to group_A, then return value of group_A for your attribute (attribute == class in you example below).  You would continue to define additional rules for the rest of your  groups.

 

On the controller side, you perform a mapping that says, if attribute / value pair is class == group_A, then assign Role_A.

 

** If you leverage VSA, then you can save a step and not have to define the radius server rules on the controller.  The value coming back on the VSA must match the name of the role.

** I indicate role in my example because you vlan is a component of the role and you also have the option to define an acl along with it.

 

 

-michael

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: