Security

Reply
Contributor II

force IOS devices to use a specific vlan

Hi,

 

If multiple vlans associated with a SSID, is there a way to force all IOS devices connects to that SSID to have same vlan (say only vlan A). We use ARUBA OS 6.1.3.2

 

Thanks

 

Aruba

Re: force IOS devices to use a specific vlan

If you are using only the Aruba base OS and the SSID is utilizing 802.1x authentication, you can implement a user defined rule and apply it to the AAA profile of the VAP.    It can be done either by assigning a VLAN or assigning a role that has a specific VLAN defined.

 

The DHCP App Note has covers this type of configuration:  http://www.arubanetworks.com/pdf/technology/AOS-DHCP-FingerPrint-AppNote.pdf

 

An example configuration would be something similar....

 

aaa derivation-rules user iOS-Devices

   set role condition dhcp-option equals "370103060F77FC" set-value iOS (assumes a role named iOS with a VLAN assigned)

   OR

   set vlan condition dhcp-option equals "370103060F77FC" set-value XXX (VLAN number)

 

aaa profile "existing-aaa-prof"
   user-derivation-rules iOS-Devices

 

 

 

 

 

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Contributor II

Re: force IOS devices to use a specific vlan

Thank you, Does this mean that if we use vlan pool, specified vlan will be assigned only to the vlan mentioned in the rule, and all other devices will be assigned to rest of the vlans in the pool.

Aruba

Re: force IOS devices to use a specific vlan

If you use VLAN pooling, and the VLAN you specify in this derivation rule is within the pool, THEN

a) IOS devices will be in this VLAN (good...)

b) other devices may also get put into this same VLAN (maybe/maybe not desirable depending on your stance on VLANs) depending on the MAC address hash algorithm that VLAN pooling uses.

 

Contributor II

Re: force IOS devices to use a specific vlan

any condition you know that can be set in NPS to match this option.

Contributor II

Re: force IOS devices to use a specific vlan

Hi,

 

I tried this, but i am not getting ip, it's shows authenticated,no ip, if i disable user derived role, everything ok.

 

set vlan condition dhcp-option equals "370103060F77FC" set-value XXX (VLAN number)

 

aaa profile "existing-aaa-prof"
user-derivation-rules iOS-Devices

 

Thanks

 

Aruba

Re: force IOS devices to use a specific vlan

can you copy the portions of your config of the following:

 

your virtual AP

your AAA profile

your user defined rule

 

 

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Contributor II

Re: force IOS devices to use a specific vlan

 
Contributor II

Re: force IOS devices to use a specific vlan

it seems dhcp fingerprinting will be fully functioning only with next code of ARUBA.

Aruba

Re: force IOS devices to use a specific vlan

DId you want to paste in your config snippets so we can assist you ?

I don't know of any caveats that tell me that fingerprinting does not work until the 'new release'.   Where did you find that reference? Curious... 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: