Hi guys,
I am trying to configure dynamic VLAN assignment on a single IAP for the first time. Of course, I am facing problems. I have followed the following thread:
https://community.arubanetworks.com/t5/Controllerless-Networks/Setup-Dynamic-Vlans/td-p/91772
I have created the NPS policies for each type of AD group and set the Filter-ID attribute. These are the Network policies I have in the NPS:
And this is what I have in my IAP:
User can authenticate successfully, but the user always gets an IP within the native VLAN 1, and not within the VLANs I defined (111, 112, 113 or 114). I have checked and I know the port is allowing to pass all these VLANs.
- According to the first picture, the conditions on the network policies should have only Windows Groups? Should I remove the NAS Port Type condition?
- I don't understand why I have to order the rules with the most specific group membership at the top. For instance, if the user belongs only two INFO_INTERMEDIO policy, NPS will skip the first rule and stops on the second one, right? Is this required only in case users can belong to more than one group?
- There is a Connection Request Policies section on the NPS, as this:
The Condition here is only NAS Port Type and there is no User Groups like in the Network Policies section, but I can't add User Groups as in the Network Policies section? Is this OK? Also in this section, the RADIUS Attributes part is empty, like this:
Do I have to define here the Filter-Id Attributes such as in the Network Policies section? I don't know what is the difference between the "Network Policies" and the "Connection Request Policies" sections.
Any clue? Please help!
Regards,
Julián