Wireless Access

last person joined: 10 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Assign Vlan from NPS to Aruba based on AP Group and Ad membership

This thread has been viewed 1 times

  • 1.  Assign Vlan from NPS to Aruba based on AP Group and Ad membership

    Posted Jul 14, 2017 11:53 AM

    Hello, I have an Aruba 7210 controller that I am trying to consolidate SSID's on.  I use NPS to Authenticate my users, and have successfully sent filter-id's to the WLC and assigned Vlan's based on AD Groups.

     

    What I am stuck on is I now need to further filter these down based on the AP-Group the Access Point is in.  So for example if it is in building #1 and you are a student, you get vlan 19. But if you are in building #2 and you are a student you get vlan 21.

     

    I read on this forum that I should be sending over a VLAN Pool Name from NPS, not just an identifier, which is fine, and I setup my Pool, and selected it from the dropdown when I built my server rules, but where would I assign the different Vlan's from that pool to the correct group?

     

    I tried creating more rules further below using the Aruba-AP-Group attribute (as shown in the Screenshot below) but had no success.  Anyone have any ideas for me?

     Screen Shot 2017-07-14 at 11.50.11 AM.png

     

     

    Thanks for any help, I appreciate it.

     

    Brian



  • 2.  RE: Assign Vlan from NPS to Aruba based on AP Group and Ad membership

    EMPLOYEE
    Posted Jul 14, 2017 12:07 PM

    Why not just return the roles directly from NPS instead of using SDRs?



  • 3.  RE: Assign Vlan from NPS to Aruba based on AP Group and Ad membership

    Posted Jul 14, 2017 12:10 PM

    I am not sure I follow, how would NPS know what group the access point would be in?



  • 4.  RE: Assign Vlan from NPS to Aruba based on AP Group and Ad membership

    EMPLOYEE
    Posted Jul 14, 2017 12:14 PM

    The AP-group is sent in the RADIUS request as the Aruba:Aruba-AP-Group VSA.



  • 5.  RE: Assign Vlan from NPS to Aruba based on AP Group and Ad membership

    Posted Jul 14, 2017 12:32 PM

    Yes, I can see how that would solve my problem.  However how do I evaluate the Aruba-AP-Group VSA inside NPS?  I assume I have to add it as a code somewhere inside the Conditions for my Network Policy?



  • 6.  RE: Assign Vlan from NPS to Aruba based on AP Group and Ad membership

    Posted Jul 17, 2017 09:12 AM

    Thanks, so I worked with my Integrator and got it figured out.  I needed to create a different Radius Server for each APGroup that needed a different vlan, and stick a NAS-ID inside that Radius Server that triggered a condition inside Microsoft NPS.  I then created different corresponding AAA profiles and Server Groups  (with all the acompanying rules) and then tied those back to the AAA profile for the VAP inside the correct group and it worked.


    It is going to be a lot of work to setup, and will be more work to troubleshoot if something goes wrong, but it does accomplish my goal of drastically limiting the number of SSID's we will have.

     

    Thanks!

     

    Brian