Wireless Access

Reply
Frequent Contributor II

Assigning users different vlan/subnet based on AD group membership

Hi,

 

What is the best way to assign users different vlans/subnets?  We want to have different subnets for different groups of users. Users in the active directory IT group get assigned subnet A and that subnet has more permissions on our corporate firewall than a user in the standard user group. Standard users get assigned subnet B and fewer permissions to things through the corporate firewall.

 

Thanks

Aruba

Re: Assigning users different vlan/subnet based on AD group membership

You can do this by sending back Aruba's vendor specific attributes (Aruba-User-Vlan in this case).     The process involves setting up server rules on the server group that is handling the authentication for your users and then configuring the RADIUS end to return the proper attributes and values depending on the conditions/group memberships you choose.  The process for the latter depends on the RADIUS platform.  Can you let us know what you are using for RADIUS?

 

There is now a list of at least 30 supported Aruba specific VSAs...thre may be more:

 

VENDOR      Code   14823  
AttributeAttribute NumberFormat
Aruba-User-Role1string
Aruba-User-Vlan2integer
Aruba-Priv-Admin-User3integer
Aruba-Admin-Role4string
Aruba-Essid-Name5string
Aruba-Location-Id6string
Aruba-Port-Id7string
Aruba-Template-User8string
Aruba-Named-User-Vlan9string
Aruba-AP-Group10string
Aruba-Framed-IPv6-Address11string
Aruba-Device-Type12string
Aruba-AP-Name13string
Aruba-No-DHCP-Fingerprint14integer
Aruba-Mdps-Device-Udid15string
Aruba-Mdps-Device-Imei16string
Aruba-Mdps-Device-Iccid17string
Aruba-Mdps-Max-Devices18integer
Aruba-Mdps-Device-Name19string
Aruba-Mdps-Device-Product20string
Aruba-Mdps-Device-Version21string
Aruba-Mdps-Device-Serial22string
Aruba-CPPM-Role23string
Aruba-AirGroup-User-Name24string
Aruba-AirGroup-Shared-User25string
Aruba-AirGroup-Shared-Role26string
Aruba-AirGroup-Device-Type27integer
Aruba-Auth-Survivability28string
Aruba-AS-User-Name29string
Aruba-AS-Credential-Hash30string 
------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Frequent Contributor II

Re: Assigning users different vlan/subnet based on AD group membership

We are using WIn2K8 with NPS for radius. It then talks to AD for authentication/authorization.

Frequent Contributor II

Re: Assigning users different vlan/subnet based on AD group membership

ANyone have other ideas?

Aruba

Re: Assigning users different vlan/subnet based on AD group membership

You can achieve this by using the Aruba VSAs above.   For example, on NPS create a newtork policy for the "IT" group and assign VLAN XYZ.

 

 

Policy Name - Wireless-IT-VLAN-Assignment

Type of Network Access Server - Unspecified

Conditions - add whatever you typically add; but make sure you have Windows Group matches IT

Acesss Granted

EAP Type - add whatever authentication types you use

Constraints - NONE

RADIUS Attributes

  • Click Vendor Specific; click Add
  • Choose Vendor Specific from the Vendor choice; click Add
  • Click to add attribute information
  • Select Vendor Code = 14823 and Yes it conforms, click Configure Attributes
  • Choose 2 as your assigned attribute number (for Aruba-User-VLAN in the above table)
  • Attribute format = integer (decimal for IAS/NPS)
  • Attribute value = XYZ (VLAN number)
  • Click OK to close out

 

On your Server Group that has the NPS servers defined, add a server derived rule that will look for this attribute from NPS and then apply the VLAN.   This will set the VLAN to whatever value is sent by NPS for Aruba-User-VLAN (or to NPS, Vendor 14823, attribvute 2).

 

set vlan condition "Aruba-User-Role" value-of position 1

 

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Contributor I

Re: Assigning users different vlan/subnet based on AD group membership

Hi

 

As another way rather than assigning the vlan from the radius server you could also just get the radius server to respond with a Filter-ID which contain the name of a role that is defined on the controller. The role would then have a VLAN assigned to it as part of the role configuration.

 

 

Frequent Contributor II

Re: Assigning users different vlan/subnet based on AD group membership

Have you successfuly done this and if so can you provide additional information on the steps involved?

 

Thanks

Contributor I

Re: Assigning users different vlan/subnet based on AD group membership

Hi

 

I am assuming that it is me that you are asking the settings for.

 

If it is here is how I did it.

 

Configure the radius server group so that it expects the filter ID to be sent back from the radius server.

 

Server Group Rules

 

The filter ID response that the radius server sends must match exactly a role that you have created on the controller

 

Windows 2008 NPS response

 

The role in the controller looks like this

 

super role on controller

 

The super role assignes the user to VLAN 17. We have done this so that even though the SSID is configured to use a VLAN pool for the users, any user that is a member of the super users group in AD will automatically be put into VLAN 17 on the wireless and  get access to additional resources.

 

Works a treat.

 

Thanks

Aruba

Re: Assigning users different vlan/subnet based on AD group membership

@istong,

 

revans solution does work just fine.   Using filter-id or Aruba-User-Role to assign a role that has a VLAN assigned both work.   The choice on your part is whether you want the same role for the users (but different VLANs assigned by RADIUS) or if it makes sense to create a new role to go with the VLAN differentiation.

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Occasional Contributor I

Re: Assigning users different vlan/subnet based on AD group membership

We use 802.1x and vlan steering to do it. In NPS, Network Policies, define policy for a group and under 'Conditions', add the AD group; Under 'Settings', add "Tunnel-Medium-Type' (802); 'Tunnel-Pvt-Group-ID' (vlan ID, ie, 100); and 'Tunnel-Type' (Virtual LANs). Do this for all the groups and assign vlans.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: