Wireless Access

Reply
Frequent Contributor II

Radius authentication

Hi,

 

I have Aruba 620 controller. Firmware version 6.1.2

 

Config requirement: -  Every user must pass through mac authentication. User "bob" is the member of radius group Test1. SSID New1 assign vlan 10. New1 ssid is bind with Test1 radius group. If "bob" is trying to access New1 ssid authentication window will ask credential. once its authenticated he will get vlan 10 access.

 

     But User "bob" is not member of Test2 radius group. user "bob" is trying to access SSID New2 which bind with Test2 radius group then authentication should not allowed to login him. expected error message:- "user name incorrect"

 

I have configured: - mac authentication profile for SSID. Configured server rule for respective SSID+vlan+radius group using Filter-Id attribute.

 

Result:- User "bob" is getting vlan 10 when he trying to access SSID New1.

 

               But user "bob" trying to access SSID New2 he is able to get authenticate and get IP address 169.*.*.*

 

     How i can achieve my requirement.

 

Regards,

 

Nikhil

Guru Elite

Re: Radius authentication

You need a radius server that can compare Group, SSID and mac authentication, otherwise you will not be able to make this work.

 

Quite frankly layering AD groups with mac authentication is too complicated and requires too much administration.  You should use something like machine authentication to authenticate the devices that users come in on.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor II

Re: Radius authentication

I have radius server. There are two groups in radius server named Test1 & Test2.

 

I have created following rule which attribute is "Filter-Id"  for radius group 'Test1'  & operation is "not-equal" it means if  "bob" user is not "Test1" group then assign 175 vlan. vlan 175 has not assign ip address range.

 

I have same configuration for "Test2" radius group.

 

 

server rule

 

 

 

 

 

 

 

 

 

My requirement is-  User "bob" is not member of Test2 radius group. user "bob" is trying to access SSID New2 which bind with Test2 radius group then authentication should not allowed to login him. expected error message:- "user name incorrect"

 

kindly suggest me how can i achieve this.

 

Regards,

 

Nikhil Patil.

Guru Elite

Re: Radius authentication

You cannot deny a user access from the server derivation rule screen.  You can only change the role or vlan.  If VLAN 175 does not exist, it will just put the user in the default virtual AP VLAN, not deny him so it will not accomplish what you want.

 

Think about this differently:

 

Have a single ssid and single server group.  Have the radius server return a different filter-id depending on what group the user is in AD.  Write two server derivation rules putting the user in the correct VLAN depending on the filter-id.  If the user does not match any rules on the radius server, it will just deny access.

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor II

Re: Radius authentication

Thank you for ur valuable suggestion...

Regular Contributor I

Re: Radius authentication

you can use 2 different radius, for ssid1 use internal radius, for ssid2 use external radius.

or you can use mac authentication on all ssid and negate te access on ssid to bob mac.

Andrea
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: