Wireless Access

Hi,

I have some problem with my aruba controller,

1. i want to reroute mac address client if client device has connecting to AP and AP will reroute to spesific vlan ( i will reserve mac address before), can i do this!

2. Can i create multiple Vlan at one SSID and chose primary vlan and secondary vlan!

Thanks Before

1. Yes. Personally, I would do this with mac-auth and role derivation. I.e. Setup the mac addresses in the local controller db, with a specific role assignment. Then, in that role, specify the vlan you want. Then, enable mac-auth on the VAP. This should work unless your VAP setup already has more complex auth parameters like role derivation from 802.1x.

2. You can put more than 1 vlan into a VAP yes. Just assign more than 1 in that VAP profile. You can't really chose a "primary" and a "secondary" specifically without some kind of selection process in mind. I.e. what defines when the "primary" should be used, and what defines when the "secondary" should be used in your mind? If you have a criteria, again, derivation and vlan assignments somewhere should work.

Thanks for your reply

1. can you show me how to create mac_auth you mean.

    i already setup :

    A.  Configuration >Security >Authentication > L2 Authentication > Add

    B. and Configuration >Security >Authentication > Server > Internal db > add user ( typing mac address at column username and password), Role ( authenticated )

    C. setup  Configuration >Security >Authentication > AAA Profile > initial role (authenticated), mac auth (authenticated).

    D. then choose  AAA profile (setup before "C") to VAP

  but i not found where setup vlan to mac address reserve, :D

2.  Oh i c. thanks for ur explain.

Please see below configuration sample, i hope it will help you to apply mac base authentication

!! Create MAC Authentication Profile
!! Create Server Group and add server in it
!! Create AAA profile and add Server Group & MAC Authentication profile in it
!! create ssid profile
!! create  vap and Assign AAA & ssid profile to VAP
!! create AP group and add VAP into it



aaa authentication mac "MAC-Athentication-Profile"
  delimiter colon
  max-authentication-failures 0

aaa server-group "MAC-Authentication-ServerGroup"
  auth-server "Internal" position 1

aaa profile "MAC-Authentication-AAA-Profile"
  mac-default-role authenticated
  initial-role logon
  mac-server-group "MAC-Authentication-ServerGroup"
  authentication-mac "MAC-Athentication-Profile"
  authentication-dot1x "default"

wlan ssid-profile "MAC-Authentication-SSID-Profile"
  essid MAC-Authentication
  wpa-passphrase murad123
  opmode wpa2-psk-aes

wlan virtual-ap "MAC-Authentication-VAP-Profile"
  vlan 1
  aaa-profile "MAC-Authentication-AAA-Profile"
  ssid-profile "MAC-Authentication-SSID-Profile"

ap system-profile "MAC-Authentication-APSystemProfile"

ap-group "AP-Group"
  virtual-ap "MAC-Authentication-VAP-Profile"

Also, take a look at Aruba Solutions Exchange (valid support contract required).

https://ase.arubanetworks.com/solution/name/generic_ssid_non_snippet/

This will allow you to build configurations step-by-step.