Wireless Access

Hi All,

 

We have 2 controllers running in a master - master scenario and a multitude of local controllers. Each local controller has 2 local VLANs for the different 2 user types. The local VLANs vary, some are the same, some are unique. The domain name of each user type is static across all sites.  (2 domains on per user type / group)

 

Lets say the user groups are A and B and the domais are alpha.com and beta.net.

 

To simplify thing I want to authenticate all users against a central AD server (802.1x auth) and using a server rule to read the domain-name attribute and to assign a VLAN name rather than number. 

 

So the rules would be :

 

#set vlan condition Domain-Name equals alpha.com set-value A

#set vlan condition Domain-Name equals beta.net set-value B

 

The named VLAN can then have a different ID on the local controllers.

However I'm unable to set the VLAN to be a name via this method as it only accepts the VLAN ID.

 

It is possible to do this? 

A Vlan name cannot be used in a server derivation rule.

 

Ah ok that's a shame.

 

I'll have to think of another solution!

Infact you can achieve this :

 

I mean to say Named-vlan is supported under SDR.

 

(Aruba3600) #show aaa derivation-rules server-group test

Server Group
------------
Name   Inservice  trim-FQDN  match-FQDN
----   ---------  ---------  ----------
surya  Yes        No

Server Rule Table
-----------------
Priority  Attribute  Operation  Operand    Action    Value  Total Hits  New Hits  Description
--------  ---------  ---------  -------    ------    -----  ----------  --------  -----------
1         User-Name  contains   surya.com  set vlan  ten    2           2

Rule Entries: 1

(Aruba3600) #show vlan mapping

Vlan Mapping Table
------------------
VLAN Name  Pool Status  Assignment Type  VLAN IDs
---------  -----------  ---------------  --------
ten        Disabled     N/A              10

(Aruba3600) #

Shabaresha,

 

What version of code is this supported in?

 

not sure when we started supporting this. but we have this support in couple of releases back.

Shabaresha, thank you.

 

Excellent. Many thanks for letting me know.

Now I just need to see if i can configure this on a matter controller then have the named vlan have a different vlan id on local controllers. Should be ok right?

yes ..

I come across your post while researching a similar issue. We have a single SSID, and they users authenticate using a captive portal through ldap. Two users groups are from different domains. I want to know if you were to resolve your issue using the named VLAN instances.