Wireless Access

Hello,

I am trying to configure dynamic VLAN assignment for a WPA2 Enterprise SSID with local EAP termination on the Aruba Mobility controller. I created two different user-roles and assigned different VLAN's to the user-role.

• user-role employee1 - vlan 20
• user-role employee2 - vlan 30

I also created a vap which contains to VLAN assignments (vlan 20,30). The AAA profile has a 802.1x Authentication Default Role configured, which points to user-role employee1. The 802.1x Authentication Server Group points to Internal. 

Next I have created to user in the local database from the master controller. I connect with both users, but both users get the 802.1x Authentication Default Role (user-role employee1) assigned. I would like the second user to get user-role employee2 assigned. 

Can anybody help?

Instead of using the VLAN set in the role, consider using a server or user derived rule bound to the AAA profile.  In that way, you can create operands like "username" or "mac address" and if conditions are met, then set the VLAN appropriately.

I now configured the derivation rules on the server and use an operand to match the username (like user contains vlan20_). I create the username beginning with vlan20_%username% and vlan30_%username%. 

Not the most beautifull solution, but it works. It would be easier if I could use a remote RADIUS server....