Wireless Access

Reference to attached network diagram. we have implemented aruba WLAN in the building which is working as per requirement. Now in the extension phase we wanted to apply aruba AAA profile to the wired users as well. In this sceinario when we created VLAN interfaces on aruba switches the wired access works perfectly fine. below is the VLAN interface configuration

 

interface vlan 11
        ip address 10.0.11.1 255.255.255.0
        ip helper-address 192.168.0.2
        ip nat inside
        operstate up
        description "1stFlr-WiredVLAN"

but when we create VLAN interfaces on core switch (not on controller) the wired access is not performing as per requirements i.e. we cant black list the users, Bandwidth contract is also not applicable. The wired users are shown in 'Logon' role but no policies are applied to them. Please note that in this case user's default gateway was core switch's VLAN IP address and it configure with IP helper address to get IP address from external DHCP server.

Please advice if any.

So just to confirm, the edge switches are Aruba? (Diagram has Ciscos)

 

You'd want to apply your AAA at the port level. The best way to use this would be with an interface-group

 

interface-group gigabitethernet "ACCESS-PORT-UNTRUSTED-GROUP-B"
   apply-to 0/0/0-0/0/47,1/0/0-1/0/47
   poe-profile "POE-PROFILE-B"
   aaa-profile "UNTRUSTED-AAA-PROFILE-B"
   port-security-profile "PORT-SECURITY-B"
   no trusted port
!

 

What type of authentication are you using? 802.1x or MAC auth? 

 

Have you checked the logs on your RADIUS server? 

Hi Cappalli,

Thanks for your response. Basically its an hotel that is why we have implemented captive portal with guest authentication mode.

If that vlan is on your core switch, it probably shouldn't be 'ip nat inside' on the aruba interface

unfortunately we don't have aruba switches, we have installed cisco switches...