Wireless Access

Hi All,

I think im having one of those moments - you know the one...were you have tried everything, but then when you step away for an hour or so, you suddenly crack it?

Just incase im not - I thought id post so I can check back in the morning.

Im trying to VLAN tag wireless traffic dependant on AD group, using Windows NPS (Server 2008). I know it works when patched direct because Im doing it with "Wired Auto Config" elsewere in the building.

Down to the technical stuff...

I've added a new Network Policy in NPS with all the settings related to auth and AD groups, but I just cant get my head around the Vendor Specific Attribute (VSA) part.

Having followed Clembos post here:

http://community.arubanetworks.com/t5/Unified-Wired-Wireless-Access/Assigning-users-different-vlan-subnet-based-on-AD-group/m-p/61082/highlight/true#M2011

Im stuck, as he states hat "Attribute format = integer", however Integer isnt an option.

The options available are: "String, Decimal, Hexadecimal, InetAddr, InetAddr6"

I've tried both String and Decimal attribute formats while following the linked topic, but no joy.

The client authenticates but remains stubbornly within the default VLAN.

I know ive missed something daft here :(

NPS Logs for reference:

<Event><Timestamp data_type="4">05/15/2014 16:35:35.056</Timestamp><Computer-Name data_type="1">XXXX3</Computer-Name><Event-Source data_type="1">IAS</Event-Source><Class data_type="1">311 1 192.168.0.3 05/06/2014 14:40:01 107005</Class><EAP-Friendly-Name data_type="1">Microsoft: Secured password (EAP-MSCHAP v2)</EAP-Friendly-Name><Authentication-Type data_type="0">11</Authentication-Type><PEAP-Fast-Roamed-Session data_type="0">1</PEAP-Fast-Roamed-Session><MS-CHAP-Domain data_type="2">01535554544F4E4853</MS-CHAP-Domain><MS-Extended-Quarantine-State data_type="0">0</MS-Extended-Quarantine-State><MS-Quarantine-State data_type="0">0</MS-Quarantine-State><Client-IP-Address data_type="3">xxx.xxx.xxx.x</Client-IP-Address><Client-Vendor data_type="0">0</Client-Vendor><Client-Friendly-Name data_type="1">Aruba-Master</Client-Friendly-Name><Proxy-Policy-Name data_type="1">Secure Wireless Connections Request</Proxy-Policy-Name><Provider-Type data_type="0">1</Provider-Type><Service-Type data_type="0">2</Service-Type><SAM-Account-Name data_type="1">xxxxxxxxx\PCN0417$</SAM-Account-Name><Fully-Qualifed-User-Name data_type="1">xxxxxxxxx\PCN0417$</Fully-Qualifed-User-Name><NP-Policy-Name data_type="1">Staff VLAN4 - Aruba Test</NP-Policy-Name><Quarantine-Update-Non-Compliant data_type="0">1</Quarantine-Update-Non-Compliant><Vendor-Specific data_type="2">000039E7020600000004</Vendor-Specific><Framed-Protocol data_type="0">1</Framed-Protocol><Packet-Type data_type="0">2</Packet-Type><Reason-Code data_type="0">0</Reason-Code></Event>

 Many thanks,

Decimal is the correct Attribute format.  Make sure you clear the user's session from the controller prior to testing:

aaa user delete mac xx:xx:xx:xx:xx:xx

Another option is just to pass back rthe RADIUS standard "Filter-ID" attribute with a string value and create a corresponding rule in the Server Group to match the string value to a VLAN ID.

The official RADIUS dictionary specifies the value as Integer, but xdrewpjx is correct ......for IAS/NPS use decimal as the proper format.   

I edited the linked post to reflect it.

Cheers for the quick replies guys.

Id set it to decimal - but was unable to get it to work im afraid. :(

I've just tired the filter-id server rule and again that isnt working, the client remains within the default vlan.

Would it be possible to take me through it from the top on the controller side at all?

Im assuming the rule on the controler needs to be assigned to the 802.1x Authentication profile?

Whoops! I hadnt clicked apply when adding the rule.

The test client has moved into the correct VLAN now using the Aruba-User-VLAN VSA!

I knew it was something daft.

Thanks for all your help