Wireless Access

Reply
Occasional Contributor II
Posts: 13
Registered: ‎11-06-2012

Virtual-AP mapped into wrong VLAN

Hi All,

 

Seeing some strange VLAN behavior on one of our Aruba controllers and looking to see if any of you have seen anything like this before or have any idea on how to go about. I'm thinking I might be missing something obvious but clearly overlooking it if that is the case.

 

Let me explain:

We have a controller with 3 SSID's and 2 of these should terminate in the same VLAN. It just has different authentication backend.

The 3rd SSID is a Guest network that is tunneled to a DMZ controller.

 

Config looks similar to the below:

wlan virtual-ap "SSID1-vap"
   aaa-profile "SSID1-aaa"
   ssid-profile "SSID1-ssid
   vlan 201
!
wlan virtual-ap "Guest-vap"
   aaa-profile "Guest-aaa"
   ssid-profile "Guest-ssid"
   vlan 300
!
wlan virtual-ap "SSID2-vap"
   aaa-profile "SSID2-aaa"
   ssid-profile "SSID2-ssid
   vlan 201
!

 

Both SSID1/SSID2 should go into VLAN201 and Guest should go into VLAN300. Pretty straight forward.

 

Now what we're seeing is that users on SSID2 indeed get mapped into VLAN201. Guest users get mapped into VLAN300 and tunneled. However SSID1 users also get mapped into VLAN300 and tunneled ... ?

 

Looking at virtual-AP output I see both my SSID1/SSID2 mapped to VLAN201 - however users still go into VLAN300 for SSID1?

 

(Aruba) #show wlan virtual-ap "SSID1-vap"

Virtual AP profile "SSID1-vap"
---------------------------------------
Parameter                                           Value
---------                                           -----
Virtual AP enable                                   Enabled
Allowed band                                        all
AAA Profile                                         SSID1-aaa
802.11K Profile                                     default
SSID Profile                                        SSID1-ssid
VLAN                                                201
Forward mode                                        tunnel

 

(Aruba) #show wlan virtual-ap "SSID2-vap"

Virtual AP profile "SSID2-vap"
--------------------------------------------
Parameter                                           Value
---------                                           -----
Virtual AP enable                                   Enabled
Allowed band                                        all
AAA Profile                                         SSID2-aaa
802.11K Profile                                     default
SSID Profile                                        SSID2-ssid
VLAN                                                201
Forward mode                                        tunnel
!

 

I'm wondering if there is another parameter somewhere that would be overwriting the VLAN for SSID1 or if there is anyway we can check this on the controller.

 

I can see the authentication happening on the backend so I'm sure they are connecting to the right SSID - I'm lost on why they would end up in a different VLAN. Is there any settings elsewhere that could enable such behavior?

 

Thanks in advance,

 

 

Aruba
Posts: 1,643
Registered: ‎04-13-2009

Re: Virtual-AP mapped into wrong VLAN

Run the following command on the controller to see what set the VLAN for the user:

show user ip x.x.x.x

 

Look for the line:

VLAN Derivation:

 

There are a couple of places where the role could be overwritten (not knowing if you have either set):

 

  1. The default role for the SSID1-AAA profile; you can set VLANs in the role.
  2. Server derivation rules set on the server group within SSID1-AAA

 

 

 

 

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Occasional Contributor II
Posts: 13
Registered: ‎11-06-2012

Re: Virtual-AP mapped into wrong VLAN

@clembo - this looks to be exactly what I was looking for thanks. I'm now just patiently waiting for a user to show up that will try to connect :)

 

 

Occasional Contributor II
Posts: 13
Registered: ‎11-06-2012

Re: Virtual-AP mapped into wrong VLAN

Just wanted to share the solution here as we managed to fix it.

 

clembo was right and it was the first suggestion:

The default role for the SSID1-AAA profile; you can set VLANs in the role

 

That being said we didn't initially see it as the VLAN command was not on the user-role set by the AAA profile but in the initial 'user-role logon' which is the initiate user-role prior to authentication. It seems that even if the user-role changes the VLAN sticks to the user.

 

The other VAP didn't have this issue as it was getting a VLAN through RADIUS VSA on it's AAA profile.

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: