03-30-2015 02:25 PM
We have two SSID's based on the 802.1x authentication, one machine authentication and other user authentication, both authenticated via RADIUS, we have a rule that authenticates both the one and the other.
If we have the SSID's
Corp and Guest.
The corp has the vlan 300 assigned to it and the Guest has the vlan 400 assigned. Depending on the SSID you get an ID or another.
When I get on the AAA profile Corp. and cast a role to be assigned if the device succeeds to authenticate the user, he distributes the vlan 300 and not 400. How do I assign it to vlan 400 if the user can authenticate the Machine Authentication rule: Default User Role of My profile 802.1x?
If put in the distribution scope of my VAP_Corp. VLAN 400 it randomly distributed addresses of two VLANs.
If the access-control I put the Role VLAN ID to vlan 400 in the same rule that it meets authenticated when he simply ignores and continues distributed that is marked in VAP_Guest
I have the version 188.8.131.52 ArubaOS
03-31-2015 06:08 AM
You can assign VLANs in various ways. From your question, I could not be certain of how you are doing it vs. how you want to do it.
- Assign a default VLAN in the virtual AP profile (this will be the default for the SSID)
- Assign a VLAN as part of a user role (this will override the default VLAN in the virtual AP)
- Assign a VLAN based on an Aruba VSA from RADIUS (RADIUS makes a decision and assigns an appropriate VLAN by returning attributes to the controller)
- Define user or server derived rules on the controller to set a VLAN for specific devices
You can also run the following command to determine how/why the client was assigned a particular VLAN:
show user ip x.x.x.x
Look for the VLAN Derivation field.
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX
03-31-2015 06:28 AM
Hi Clembo, thanks for the reply.
I'll try to explain how we use here.
The issue of vlan distribution set up in our VAP but the question is precisely this, I read in the manual that when configuring the VLAN ID ROLE in USER ROLES it overrides the vlan that is configured on my VAP until you mentioned it. But that's not what's happening. He is distributing the vlan that is in the VAP, if I delete the vlan of VAP and leave only the USER ROLE it does nothing.
In my profile 802.1x own two rules, they are: Machine Authentication assigns the rule X and User Authentication assigns Y. Within rule of rule Y for example I put ROLE VLAN ID 300 he did not attribute this vlan when the user authenticates to Atenticação User. I'm already thinking of doing is VLAN change in my radius server, but I'd still rather leave everything centralized in my controler.