Wireless Access

Just wondering if anyone has used radius (NPS) to assign users on the same SSID to different VLAN's.  I would appreciate any suggestions or advice from anyone that has this implemented.

Thanks,

Jeff

---

@jebowman wrote:

Just wondering if anyone has used radius (NPS) to assign users on the same SSID to different VLAN's.  I would appreciate any suggestions or advice from anyone that has this implemented.

 

Thanks,

Jeff

---

Jeff, 

You can achieve this with the use of user-derivation rules 

(master) (config) #aaa derivation-rules user test

You have the following parameters to assign different VLANs to users. 

(master) (user-rule) #set vlan condition ?
bssid BSSID of access point
dhcp-optionEnable DHCP option processing
dhcp-option-77 Enable DHCP option 77 processing
encryption-type Encryption method used by station
essid ESSID of access point
location user location (ap name)
macaddrMAC address of user

Easier would be to return the Aruba-User-Vlan VSA in my opinion.

In IAS/NPS you configure different network policies. You pick the policies you want to return the vlan. Add the radius attribute to it and you're done. Everyone authenticating using that network policy will be pushed into the specified vlan.

Sorry, couldn't fiond the doc about it but search Aruba-User-Vlan or radius attributes and I'm sure something will come up here.

I think you just missed the point.

bssid BSSID of access point RADIUS can't change that
dhcp-optionEnable DHCP option processing RADIUS can't change that
dhcp-option-77 Enable DHCP option 77 processing RADIUS can't change that
encryption-type Encryption method used by station RADIUS can't change that
essid ESSID of access point RADIUS can't change that
location user location (ap name)  RADIUS can't change that
macaddrMAC address of user RADIUS can't change that

Is there a way to assign users on the same SSID to different VLANs using reply attributes from RADIUS?

Turin,

Yes.  You would do that using a Server Derivation Rule.

Please see the knowledgebase article here:  http://kb.arubanetworks.com/cgi-bin/arubanetworks.cfg/php/enduser/std_adp.php?p_faqid=920

If you want to see what attributes are being returned from the radius server, please see the article here:  http://kb.arubanetworks.com/cgi-bin/arubanetworks.cfg/php/enduser/std_adp.php?p_faqid=826

Hi joseph,

the link is broken...

It is possible to update link ?

If I understand your question I believe you are looking for the "Aruba-User-Vlan" RADIUS attribute.  If your RADIUS server returns an arbitrary VLAN number as that attribute the controller will place the client in the VLAN independent of SSID/Virtual AP settings.

In my FreeRadius test environment I have following in the post-auth phase that occurs at the end of a successful EAP-PEAP authentication conversation:

        # VLAN override
        if ("%{sql_radius:select count(*) from wpa_vlan where username=lower('%{SQL-User-Name}') and macaddress=lower('%{Calling-Station-Id}')}" > 0) {
            update reply {
                Aruba-User-Vlan := "%{sql_radius:select vlan from wpa_vlan where username=lower('%{SQL-User-Name}') and macaddress=lower('%{Calling-Station-Id}')}"
            }
        }  

In my test case I'm successfully placing users in an arbitrary VLAN that is not part of the normal pool and I'm doing it independent of any set role.

use server derivation rules under server group.

set the attribute with filter-id, filtering a string as an ID from the RADIUS server. then use role assignment to assign vlans.