Wireless Access

Reply
Frequent Contributor I

RAP 2wg

Hi There,

 

We have a guest SSID broadcasted on Campus AP and Remote AP and we want to apply different policy to clients

connected to RAP. Is there any way to distinguish between client connected to CAP and client connected to RAP?

We are using RADIUS server for authentication. 

Regards,

 

 

Aruba Employee

Re: RAP 2wg

Are the RAP and CAP are in different AP-group ?

 

If yes, you can use the same SSID profile with different AAA profile, you can map the respective roles to the users connecting CAP and RAP. 

 

 

Vinod Kumaar AVM ACMX, ACDX
Principal Network Engineer
Customer Advocacy | Aruba Networks Inc.

Did something you read in the Community solve a problem for you? If so, click "Accept as Solution" in the bottom right hand corner of the post.
Frequent Contributor I

Re: RAP 2wg

Yes, the CAP and RAP are in different AP groups.

 

The users that connect either to RAP or CAP are getting the same server derived role because they are authenticated

by the same network policy on the radius server. So by specifying different AAA profie with different default role does not help

because the default role will not be assigned if the server derived role is present.

 

If  i move the RAP to a different controller then based on the NAS ID i can specify different value to the radius attribute on the

network policy and then the server derived role will be different. I tested this by moving the CAP to another controller and it works.

 

Is it possible to move the RAP from the master to a local controller?  

 

Thanks.

Aruba

Re: RAP 2wg

Sure Remote APs (RAPs) can terminate on any reachable controller.     You can set the LMS-IP address in the AP system profile within the AP-Group to the desired controller that you are trying to have the remote AP terminate upon.  

 

AP-Group

   AP-SYSTEM-PROFILE

      LMS-IP  field   == controller to terminate upon (aka. users will 'pop up' on)

Contributor I

Re: RAP 2wg

Actually, you don't even need to move the RAP... If you create a new radius entry for your radius server, you can specify a different NAS-ip, which would allow you to apply a different radius policy for that AP group. Of course, you'd subsequently have to create a new aaa profile and virtual AP in order to implement it... But it is doable. We use NAS-ip to trick our radius servers all the time, and it works great. Hope this helps! - Jay
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: