Wireless Access

Reply
Contributor II
Posts: 54
Registered: ‎08-29-2010

new AAA profile

Hi,

 

Could help me how to configure  a AAA profile in which RADIUS server decides the client VLAN based on active deirectory membership.

 

 

Thanks

 

Retired Employee
Posts: 234
Registered: ‎04-19-2011

Re: new AAA profile

Are you looking for Vendor Specific Attributes? 

 

 

VENDOR        Aruba        14823

 

ATTRIBUTE        Aruba-User-Role                1        String                Aruba

ATTRIBUTE        Aruba-User-Vlan                2        Integer                Aruba

ATTRIBUTE        Aruba-Priv-Admin-User    3        Integer                Aruba

ATTRIBUTE        Aruba-Admin-Role                 4        String                Aruba

 

# Added in 2.4.1.0 (June 2005)

 

ATTRIBUTE  Aruba-Essid-Name     5        String        Aruba

ATTRIBUTE  Aruba-Location-Id        6        String        Aruba

 

# Added in 2.5.3.0 (July 2006)

 

ATTRIBUTE  Aruba-Port-Identifier        7        String                Aruba

--
HT
Aruba
Posts: 1,644
Registered: ‎04-13-2009

Re: new AAA profile

What is your RADIUS server?    The VLAN decision based up on AD group membership will be done by the RADIUS server.   On the Aruba side, you can configure the server group to take action and assign a VLAN based upon RADIUS attributes returned.   This requires you to set the return attribute on the RADIUS side.   If you are using IAS/NPS you'll need to use a vendor supplied custom attribute (listed below).

 

On the Aruba side........For example:

aaa server-group "radius-group"
  set vlan condition "Aruba-User-Vlan" equals "x" set-value x position 1

 

Or (will set the VLAN to whatever the value is, rather than specificy individual VLANs)

aaa server-group "radius-group"
  set vlan condition "Aruba-User-Vlan" value-of position 1

 

 

Aruba Custom VSAs (for NPS or other RADIUS server that does not have Aruba RADIUS dictionary).

 

Vendor Code - 14823

 

Value

Attribute Number

Type

Aruba-User-Role

1

String

Aruba-User-Vlan

2

Integer

Aruba-Priv-Admin-User

3

Integer

Aruba-Admin-Role

4

String

Aruba-Essid-Name

5

String

Aruba-Location-Id

6

String

Aruba-Port-Id 

7

String

Aruba-Template-User    

8

String

Aruba-Named-User-Vlan   

9

String

 

 

Aruba-Priv-Admin-User        Non-negative value will give root/enable access

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Contributor II
Posts: 54
Registered: ‎08-29-2010

Re: new AAA profile

Thanks very much. Suppose the secnario is like this, single ssid, two categories of users,1) Domain users whose computers are part AD, they will use domain username to connect. Other category is user devices they are not part of AD, they also connect using their AD username, but force to a specific vlan based on the MAC address. Is this possible to do.

Search Airheads
Showing results for 
Search instead for 
Did you mean: