Wireless Access

Hi,

I was just wondering about using using two different vlans on a VAP but clients connecting with a static ip?

There are a number of printers that should have a static ip, but then with the vlan pool, they may end up in the wrong vlan.  Is there a way to put these particular clients into the correct vlan according to the static ip they have been configured with?

I'm assuming this will be a user derivation rule that gets applied to the aaa profile and will be something like....

aaa derivation-rules user "test-rule" set vlan condition macaddr starts-with "00:19:70" set-value x

 Are there any other caveats I should be aware of.

Regards

That is the way you should do it.

Thanks Colin.  I've since found out that these static addresses are in the order of ~180.  I don't think that vlan pooling will work here.

Can I take this vlan out from the pool but still place the clients into this vlan?  Or is it better to just create another ssid?

Thanks

Separate SSID.

I tried this

aaa derivation-rules user "test-rule" set vlan condition macaddr starts-with "00:19:70" set-value x

and it seems to cause the printers to not connect.  They are using dot1x.  The cryptic messages in the logs seem to indicate that the client can't be placed into a vlan before they authenticate.  Is that correct?

I'm now thinking I'll need to get the radius server to return an attribute and then define a server rule to place the client into the particular vlan.

Did you ever resolve this?

I raised a TAC case and they confirmed that vlan derivation rules don't work with dot1x.  Tried a different cert so that the radius server returns an attribute, but couldn't get it to work for reasons unknown.

It was to do with the device not taking the new certificate and not the Aruba though.

thanks for the reply.

If you had a type attribute returned like "Printer" you could them give it that role in the controller and also place in a specific VLAN.