Wireless Access

Hi guys,

 

I am trying to configure dynamic VLAN assignment on a single IAP for the first time. Of course, I am facing problems. I have followed the following thread:

 

https://community.arubanetworks.com/t5/Controllerless-Networks/Setup-Dynamic-Vlans/td-p/91772

 

I have created the NPS policies for each type of AD group and set the Filter-ID attribute. These are the Network policies I have in the NPS:

And this is what I have in my IAP:

User can authenticate successfully, but the user always gets an IP within the native VLAN 1, and not within the VLANs I defined (111, 112, 113 or 114). I have checked and I know the port is allowing to pass all these VLANs.

 

1. According to the first picture, the conditions on the network policies should have only Windows Groups? Should I remove the NAS Port Type condition?
2. I don't understand why I have to order the rules with the most specific group membership at the top. For instance, if the user belongs only two INFO_INTERMEDIO policy, NPS will skip the first rule and stops on the second one, right? Is this required only in case users can belong to more than one group?
3. There is a Connection Request Policies section on the NPS, as this:

The Condition here is only NAS Port Type and there is no User Groups like in the Network Policies section, but I can't add User Groups as in the Network Policies section? Is this OK? Also in this section, the RADIUS Attributes part is empty, like this:

Do I have to define here the Filter-Id Attributes such as in the Network Policies section? I don't know what is the difference between the "Network Policies" and the "Connection Request Policies" sections.

 

Any clue? Please help!

 

Regards,

Julián

 

 

Hi,

Doing more testing. The customer PC which is within the domain always gets an IP address within the native VLAN. I tested with my PC which is not in the domain, and when the username was in INFO_BASICO group I got an IP address within VLAN 111. After this customer changed the username to group INFO_INTERMEDIO and I got an IP address within VLAN 112, so far great. After this customer changed the username to group INFO_AVANZADO but I got the same IP address within VLAN 112. And after this customer changed the username to group INFO_BASICO again and I got again the same IP address within VLAN 112.
Any idea? Please your support!

Many thanks,
Julián

Hi,

 

The other thing I don't know. There are two more attributes within the Network Policy > Configuration > RADIUS Attributes > Standar:

These two attributes (Frame-Protocol and Service-Type) were automatically created when I created the Network Policy (I used the 802.1x Wireless Connection Wizard). Then I added the Filter-Id attribute. Shoud I remove these two attributes and leave only the Filter-Id?

 

Regards,

Julián

Those two attributes have no effect on authentication.

Hi Colin,

Authentication works fine, VLAN assignment is what doesn't work correctly and I don't know if those two attributes have an effect on it. And do you know the answer to my other three questions? I guess the IAP configuration is ok and the problem is the NPS configuration, but I am a beginner in NPS/RADIUS servers.

Regards,
Julián

Do are you using "disconnect-user" on the commandline of the IAP after you finish authenticating to make sure that the previous session is cleared? https://www.arubanetworks.com/techdocs/Instant_423_WebHelp/InstantWebHelp.htm#CLI_commands/disconnect_user.htm?Highlight=disconnect-user

 

This is important when you are using the same device.

Ok thanks, I will have a try and we'll see.

Regards,
Julián