On a remote site of our university, I'm trying to deploy a remote AP with the same SSIDs as we have on our central site.
One SSID is based on captive portal authentication. Students or staff connecting to this SSID get a simple web access.
The forward mode is tunnel, and the operation mode is standard.
The second SSID is based on 802.1X authentication, with roles derivation rules set up on the Server Group Profile.
The rules fixes the user role according to the value of an attribute sent by a radius server during authentication:
- if the attribute equals to "student", the role for the user is set to student-role.
- if the attribute equals to "staff", the role is set to staff-role.
In this case, the user gets more or less privileges according to his status (staff or student).
For each role, a different role VLAN ID is set, so that the user is placed in the proper VLAN to get his IP address.
- staff-role, vlan ID = 8,
- student-role, vlan ID = 10.
The forward mode setting for this VAP is bridge mode, and its operation mode is persistent. In case of a failure with our main controller, the connected users can still work on their local IT resources.
Both VLAN IDs 8 and 10 are set in the VAP Vlans.
The corresponding AP system profile for the RAP has the native vlan set to 4, which is the vlan on the remote site where all network equipments are placed in.
The port of the switch on which The RAP is plugged is configured as a trunk for vlan 8 and 10, with native vlan set to 4.
When a user from the staff tries to connect to this SSID, he gets the correct role for the derivation rules: staff-role.
However, the IP address the user gets is from the student vlan, which I don't understand why.
I've checked the configuration, and I don't see any reference of vlan 10 linked to staff-role.
The Aruba OS is 188.8.131.52.
Thanks for your help.
I assume the a student user works as expected?
With your staff user in this state (I.e. in the wrong subnet/vlan), do a "show user ip X.X.X.X" at the command line (where X.X.X.X is that user's IP).
Look for a line in the output like "Vlan default: 1234, Assigned: 1234, Current: 1234 vlan-how: 1 DP assigned vlan:0".
What does this show?
If that output also looks wrong, I think it's worth running a aaa-debug on the authentication to see what attributes are returned from the server. Just to be sure.
Support for Bridge Mode VLAN derivation began in ArubaOS 6.1 and above: It is not supported in your version of ArubaOS. Attached are the 6.1 release notes.
What an excellent point CJ! v5 is a bit old, as is my memory of it clearly!
Thanks for your reply.
I shall be patient, we will be normally upgrading to version 6 this year.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.