Controllerless Networks

Hi Friends,
Greetings
We are having aruba 500 Series cluster in our campus
I need to configure the Dynamic vlan assignment to the users based on their LDAP Groups
We are using FreeRADIUS with Google LDAP (EAP-TTLS-PAP)
Is it possible to configure the dynamic vlan assignment in the VC?
Similarly we need to implent the following restrictions based on the LDAP group
Maximum connection per LDAP Group. That means the all users in that group can make 1 or 2 connections concurrently with their credentials
Download and upload limit per day
Bandwidth limit per user group
Timings 
Can anyone guide me?
Thanks in advance...


------------------------------
THIRUNAVUKKARASU P
------------------------------

The requested functions should be performed from FreeRADIUS which will query LDAP and make policy decisions based on the results it receives.

Dynamic VLAN assignment can be performed by sending back either a radius-accept with the aruba-user-role attribute where the value of this attribute matches a Security Role configured on your Access Points (in this case the role has a VLAN assignment). Alternatively, you can use the industry standard radius-accept including the tunnel-type = VLAN, tunnel-medium-type = IEEE-802 and tunnel-private-group-id = the VLAN id you wish to put the client into.

See Configuring a User Role for VLAN Derivation
See Understanding VLAN Assignment - for the standard attributes method.

The logic of restricting 1 or 2 concurrent connections per user may be possible with FreeRADIUS. Try hunting for a user session limitation feature. These are features available in Aruba ClearPass.



Original Message:
Sent: Oct 24, 2021 02:24 AM
From: THIRUNAVUKKARASU P
Subject: Dynamic vlan and bandwidth - traffic shaping

Hi Friends,
Greetings
We are having aruba 500 Series cluster in our campus
I need to configure the Dynamic vlan assignment to the users based on their LDAP Groups
We are using FreeRADIUS with Google LDAP (EAP-TTLS-PAP)
Is it possible to configure the dynamic vlan assignment in the VC?
Similarly we need to implent the following restrictions based on the LDAP group
Maximum connection per LDAP Group. That means the all users in that group can make 1 or 2 connections concurrently with their credentials
Download and upload limit per day
Bandwidth limit per user group
Timings 
Can anyone guide me?
Thanks in advance...


------------------------------
THIRUNAVUKKARASU P
------------------------------

Hi,
Thanks for the reply....
Yes, I can configured the Dynamic vlan assignment in the FreeRADIUS by using the industry standards...
I am tried to configure the same type dynamic vlan assignment in the Virtual Controller...
But I failed to found the configurations for the LDAP Group based restrictions..
Is there anyway to configure it in the VC without the Clearpass?

------------------------------
THIRUNAVUKKARASU P
------------------------------

Original Message:
Sent: Oct 24, 2021 07:17 PM
From: Matthew Sutherland
Subject: Dynamic vlan and bandwidth - traffic shaping

The requested functions should be performed from FreeRADIUS which will query LDAP and make policy decisions based on the results it receives.

Dynamic VLAN assignment can be performed by sending back either a radius-accept with the aruba-user-role attribute where the value of this attribute matches a Security Role configured on your Access Points (in this case the role has a VLAN assignment). Alternatively, you can use the industry standard radius-accept including the tunnel-type = VLAN, tunnel-medium-type = IEEE-802 and tunnel-private-group-id = the VLAN id you wish to put the client into.

See Configuring a User Role for VLAN Derivation
See Understanding VLAN Assignment - for the standard attributes method.

The logic of restricting 1 or 2 concurrent connections per user may be possible with FreeRADIUS. Try hunting for a user session limitation feature. These are features available in Aruba ClearPass.



Original Message:
Sent: Oct 24, 2021 02:24 AM
From: THIRUNAVUKKARASU P
Subject: Dynamic vlan and bandwidth - traffic shaping

Hi Friends,
Greetings
We are having aruba 500 Series cluster in our campus
I need to configure the Dynamic vlan assignment to the users based on their LDAP Groups
We are using FreeRADIUS with Google LDAP (EAP-TTLS-PAP)
Is it possible to configure the dynamic vlan assignment in the VC?
Similarly we need to implent the following restrictions based on the LDAP group
Maximum connection per LDAP Group. That means the all users in that group can make 1 or 2 connections concurrently with their credentials
Download and upload limit per day
Bandwidth limit per user group
Timings 
Can anyone guide me?
Thanks in advance...


------------------------------
THIRUNAVUKKARASU P
------------------------------

Having the Virtual Controller do an LDAP lookup is a less robust solution than having an external RADIUS server for authentication. It is possible to do this however and a ClearPass server is not required.

EAP Offload allows you to terminate the EAP portion of 802.1X authentication on the Instant AP instead of the RADIUS server. LDAP can then be used in conjunction with EAP Offload to authenticate users.

See Configuring Security Settings for a WLAN SSID Profile for more information on EAP Offload.
See Supported EAP Authentication Frameworks and particularly the section about Authentication Termination on Instant AP.

I personally recommend using a RADIUS server over terminating the authentication on the AP. For more complex authentication scenarios where an AP would terminate EAP but still require an authentication server to verify credentials you are adding a step in the middle that is unnecessary in my opinion. RADIUS permits secure methods of EAP and authentication and is definitely more suited for enterprise networks.
Original Message:
Sent: Oct 25, 2021 08:31 AM
From: THIRUNAVUKKARASU P
Subject: Dynamic vlan and bandwidth - traffic shaping

Hi,
Thanks for the reply....
Yes, I can configured the Dynamic vlan assignment in the FreeRADIUS by using the industry standards...
I am tried to configure the same type dynamic vlan assignment in the Virtual Controller...
But I failed to found the configurations for the LDAP Group based restrictions..
Is there anyway to configure it in the VC without the Clearpass?

------------------------------
THIRUNAVUKKARASU P

Original Message:
Sent: Oct 24, 2021 07:17 PM
From: Matthew Sutherland
Subject: Dynamic vlan and bandwidth - traffic shaping

The requested functions should be performed from FreeRADIUS which will query LDAP and make policy decisions based on the results it receives.

Dynamic VLAN assignment can be performed by sending back either a radius-accept with the aruba-user-role attribute where the value of this attribute matches a Security Role configured on your Access Points (in this case the role has a VLAN assignment). Alternatively, you can use the industry standard radius-accept including the tunnel-type = VLAN, tunnel-medium-type = IEEE-802 and tunnel-private-group-id = the VLAN id you wish to put the client into.

See Configuring a User Role for VLAN Derivation
See Understanding VLAN Assignment - for the standard attributes method.

The logic of restricting 1 or 2 concurrent connections per user may be possible with FreeRADIUS. Try hunting for a user session limitation feature. These are features available in Aruba ClearPass.



Original Message:
Sent: Oct 24, 2021 02:24 AM
From: THIRUNAVUKKARASU P
Subject: Dynamic vlan and bandwidth - traffic shaping

Hi Friends,
Greetings
We are having aruba 500 Series cluster in our campus
I need to configure the Dynamic vlan assignment to the users based on their LDAP Groups
We are using FreeRADIUS with Google LDAP (EAP-TTLS-PAP)
Is it possible to configure the dynamic vlan assignment in the VC?
Similarly we need to implent the following restrictions based on the LDAP group
Maximum connection per LDAP Group. That means the all users in that group can make 1 or 2 connections concurrently with their credentials
Download and upload limit per day
Bandwidth limit per user group
Timings 
Can anyone guide me?
Thanks in advance...


------------------------------
THIRUNAVUKKARASU P
------------------------------

Hi,
Instant allows EAP termination for PEAP-GTC and PEAP-MS-CHAV2. PEAP-GTC termination allows authorization against a LDAP server and external RADIUS server while PEAP-MS-CHAV2 allows authorization against an external RADIUS server. Supported EAP Authentication Frameworks.
I don't know whether it is possible with EAP_TTLS_PAP. We are using Google Secure LDAP.
FreeRADIUS supports EAP-TTLS-PAP with Google LDAPs. 
As I know, connecting the VC with LDAPs is not possible (might not be correct!!!!!).
We are using the external RADIUS server (FreeRADIUS) and the RADIUS is connected with Google Secure LDAP over TLS/SSL. NPS is not supporting the Google Secure LDAP connection. 
In our campus we are having three clusters of IAPs. Two clusters at College Campus and one cluster is at Hostel campus. 
Our requirement is to implement restrictions on bandwidth, data and timings for students in VC and / or FreeRADIUS. 
Dynamic vlan assignment was done with FreeRADIUS. Now I am looking for the user-data control (LDAP-Group based)