Wireless Access

Reply
Occasional Contributor I

VLAN assignment using Radius

Just wondering if anyone has used radius (NPS) to assign users on the same SSID to different VLAN's.  I would appreciate any suggestions or advice from anyone that has this implemented.

 

Thanks,

Jeff

Retired Employee

Re: VLAN assignment using Radius


jebowman wrote:

Just wondering if anyone has used radius (NPS) to assign users on the same SSID to different VLAN's.  I would appreciate any suggestions or advice from anyone that has this implemented.

 

Thanks,

Jeff


Jeff, 

 

You can achieve this with the use of user-derivation rules 

 

(master) (config) #aaa derivation-rules user test

 

You have the following parameters to assign different VLANs to users. 

 

(master) (user-rule) #set vlan condition ?
bssid BSSID of access point
dhcp-optionEnable DHCP option processing
dhcp-option-77 Enable DHCP option 77 processing
encryption-type Encryption method used by station
essid ESSID of access point
location user location (ap name)
macaddrMAC address of user

--
HT
MVP

Re: VLAN assignment using Radius

Easier would be to return the Aruba-User-Vlan VSA in my opinion.

 

In IAS/NPS you configure different network policies. You pick the policies you want to return the vlan. Add the radius attribute to it and you're done. Everyone authenticating using that network policy will be pushed into the specified vlan.

 

 

Sorry, couldn't fiond the doc about it but search Aruba-User-Vlan or radius attributes and I'm sure something will come up here.

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
New Contributor

Re: VLAN assignment using Radius

I think you just missed the point.

 

bssid BSSID of access point RADIUS can't change that
dhcp-optionEnable DHCP option processing RADIUS can't change that
dhcp-option-77 Enable DHCP option 77 processing RADIUS can't change that
encryption-type Encryption method used by station RADIUS can't change that
essid ESSID of access point RADIUS can't change that
location user location (ap name)  RADIUS can't change that
macaddrMAC address of user RADIUS can't change that

 

Is there a way to assign users on the same SSID to different VLANs using reply attributes from RADIUS?

 
Guru Elite

Re: VLAN assignment using Radius

Turin,

 

Yes.  You would do that using a Server Derivation Rule.

 

Please see the knowledgebase article here:  http://kb.arubanetworks.com/cgi-bin/arubanetworks.cfg/php/enduser/std_adp.php?p_faqid=920

 

If you want to see what attributes are being returned from the radius server, please see the article here:  http://kb.arubanetworks.com/cgi-bin/arubanetworks.cfg/php/enduser/std_adp.php?p_faqid=826



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Regular Contributor II

Re: VLAN assignment using Radius

Hi joseph,

 

the link is broken...

It is possible to update link ?

ACMP 6.4 / ACMX #107 / ACCP 6.5
Contributor I

Re: VLAN assignment using Radius

If I understand your question I believe you are looking for the "Aruba-User-Vlan" RADIUS attribute.  If your RADIUS server returns an arbitrary VLAN number as that attribute the controller will place the client in the VLAN independent of SSID/Virtual AP settings.

 

In my FreeRadius test environment I have following in the post-auth phase that occurs at the end of a successful EAP-PEAP authentication conversation:

 

        # VLAN override
        if ("%{sql_radius:select count(*) from wpa_vlan where username=lower('%{SQL-User-Name}') and macaddress=lower('%{Calling-Station-Id}')}" > 0) {
            update reply {
                Aruba-User-Vlan := "%{sql_radius:select vlan from wpa_vlan where username=lower('%{SQL-User-Name}') and macaddress=lower('%{Calling-Station-Id}')}"
}
}

In my test case I'm successfully placing users in an arbitrary VLAN that is not part of the normal pool and I'm doing it independent of any set role.

Occasional Contributor I

Re: VLAN assignment using Radius

use server derivation rules under server group.

 

set the attribute with filter-id, filtering a string as an ID from the RADIUS server. then use role assignment to assign vlans.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: