Wireless Access

Reply
New Contributor

Assign Vlan from NPS to Aruba based on AP Group and Ad membership

Hello, I have an Aruba 7210 controller that I am trying to consolidate SSID's on.  I use NPS to Authenticate my users, and have successfully sent filter-id's to the WLC and assigned Vlan's based on AD Groups.

 

What I am stuck on is I now need to further filter these down based on the AP-Group the Access Point is in.  So for example if it is in building #1 and you are a student, you get vlan 19. But if you are in building #2 and you are a student you get vlan 21.

 

I read on this forum that I should be sending over a VLAN Pool Name from NPS, not just an identifier, which is fine, and I setup my Pool, and selected it from the dropdown when I built my server rules, but where would I assign the different Vlan's from that pool to the correct group?

 

I tried creating more rules further below using the Aruba-AP-Group attribute (as shown in the Screenshot below) but had no success.  Anyone have any ideas for me?

 Screen Shot 2017-07-14 at 11.50.11 AM.png

 

 

Thanks for any help, I appreciate it.

 

Brian

Guru Elite

Re: Assign Vlan from NPS to Aruba based on AP Group and Ad membership

Why not just return the roles directly from NPS instead of using SDRs?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
New Contributor

Re: Assign Vlan from NPS to Aruba based on AP Group and Ad membership

I am not sure I follow, how would NPS know what group the access point would be in?

Guru Elite

Re: Assign Vlan from NPS to Aruba based on AP Group and Ad membership

The AP-group is sent in the RADIUS request as the Aruba:Aruba-AP-Group VSA.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
New Contributor

Re: Assign Vlan from NPS to Aruba based on AP Group and Ad membership

Yes, I can see how that would solve my problem.  However how do I evaluate the Aruba-AP-Group VSA inside NPS?  I assume I have to add it as a code somewhere inside the Conditions for my Network Policy?

New Contributor

Re: Assign Vlan from NPS to Aruba based on AP Group and Ad membership

Thanks, so I worked with my Integrator and got it figured out.  I needed to create a different Radius Server for each APGroup that needed a different vlan, and stick a NAS-ID inside that Radius Server that triggered a condition inside Microsoft NPS.  I then created different corresponding AAA profiles and Server Groups  (with all the acompanying rules) and then tied those back to the AAA profile for the VAP inside the correct group and it worked.


It is going to be a lot of work to setup, and will be more work to troubleshoot if something goes wrong, but it does accomplish my goal of drastically limiting the number of SSID's we will have.

 

Thanks!

 

Brian

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: