Wireless Access

Reply
Occasional Contributor II

server derived rule for a vlan

Hi,

Can I have server derived vlan (server rule) for a specific group of users in a SSID which is configured with vlan setting as a pool of vlans, we use NPS for .1x authentication. If yes, could help us with the configuration both in controller as well as RADIUS.

 

Thanks

 

Guru Elite

Re: server derived rule for a vlan

New in ArubaOS 6.3, you can assign a VLAN pool to a server derivation rule.  From the 6.3 release notes:

 

VLAN Derivation from Named VLAN Pools


Named VLANs can be configured under user rule, server derivation, user derivation, and VSA in this release. Previously, only single VLAN ID names supported the above.

You cannot modify a VLAN name so choose the name carefully.

Named VLANs (single VLAN IDs or VLAN pools) can only be assigned to tunnel mode VAP’s and wired profiles. They can also be assigned to user roles, user rule derivation, server derivation, and VSA for tunnel and bridge mode. 

 

There are two parts to this:

 

1- Configuring NPS to send back an attribute based on a user group:  http://community.arubanetworks.com/t5/Campus-WLAN-and-High-Density-Wi/Assigning-users-different-vlan-subnet-based-on-AD-group/td-p/59210

 

2- Writing a server derivation rule to put users in a named VLAN pool based on that attribute.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Occasional Contributor II

Re: server derived rule for a vlan

Thank you Joseph for the reply, I would like to stress that I don't need a vlan pool in server derived rule, just one vlan is sufficient, but the SSID is already set for a vlan pool (vlan setting under SSID properties), now could you advise.

 

Thanks

 

Guru Elite

Re: server derived rule for a vlan

Then you need the first link that describes how to send back the attribute.  You then write a server derived rule to change the VLAN or role based on that returned attribute from NPS.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Occasional Contributor II

Re: server derived rule for a vlan

Hi,

 

Will this set up works if SSID vlan setting is already configured for vlan pool.

 

thnaks

Guru Elite

Re: server derived rule for a vlan

The server derivation rule overrides that setting as an exception.

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Occasional Contributor II

Re: server derived rule for a vlan

override happens only if computer + user authentication succedes ?, anything like that ?

Guru Elite

Re: server derived rule for a vlan

Nothing like that.

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: