Integrating Aruba WLAN with multiple LDAP servers

By ozerdo posted Nov 11, 2011 08:07 PM



I have two Windows Servers (2003 and SBS). Each is its own domain as one is for parish employees and one is for the school. (No, not ideal.) They are both on the same subnet and share the same gateway. 


Can I create a couple SSIDs... say one for students and one the parish employees? During config, the student SSID would look for the LDAP of the school server and the parish employee SSID would look to the SBS's LDAP?

There aren't too many of the church employees and probably less that would use wi-fi, but it would be great if I could configure it this way.


Reply #1

Sure, the Aruba solution can be set up in the manner you are requesting. There are multiple ways to do this, with one approach being:

1. Create two Virtual AP profiles, each with an SSID and a AAA profile. So this would give you seperate networks.
2. The AAA profiles are the spot where the authentication servers are configured for each network.
3. In the case of the student SSID, have the student LDAP specified in the AAA Profile/Servergroup.
4. In the case of the employees, have the reverse...the employee LDAP specified.
5. Configure the AP group of the access points to advertise each of these virtual APs.


Reply #2

We use this same setup, we have a faculty, corp, student and guest SSID being broadcasted. The student SSID goes to one domain and the faculty/corp goes to another. Although we use RADIUS instead of LDAP.

One thing I'm in the process of planning is a new deployment for our SSIDs to have just a SSID and a Guest network. It will then try the first RADIUS server (a student RADIUS server) and if it fails it goes to the next (corp/faculty RADIUS server).

The nice thing with this is there is less confusion about what to connect to and it cuts down the number of SSID advertisements you are doing!

1 comment


Mar 13, 2017 10:06 AM

I have a similar situation.

I have 5 different WLAN's all in different parts of the world for my company.

They used to all be autonomus of each other and never were connected.

Now the customer wants to be able to travel with their laptop and have it work in all locations.

They all use 802.1x and have different root CA's


So i can do a trust in clearpass, or do failthrough on my controller.


Fail-through on controllers:

doesnt seem scalable because of wait times to authenticate.

if i am a user from site #5, i have to wait for my laptop to get rejected by 4 other clearpass servers all in different contries(high latency)

but that is the easiest to configure. I am a big fan of keeping it simple...


What i am wondering is... can i have the controller determine which server it should authenticate with based on the clients request? (within the same AAA profile)



Clearpass trust:

hardest to configure for me so i am warry of doing it this way.

Each clearpass server has a different root CA.

what is the best way to get them to authenticate?