Wireless Access

last person joined: 4 hours ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

VLAN / Role Assignment after Authentication

  • 1.  VLAN / Role Assignment after Authentication

    Posted May 30, 2013 04:58 AM

    Can we assign specific VLAN to user's based on SSID, Location, Cleint MAC etc if user are authenticated by MAC based authentication or Captive Portal Authentication with internal server?

     

     "Before client authentication, the VLAN can be derived from rules based on client attributes (SSID, BSSID, client MAC, location, and encryption type). A rule that derives a specific VLAN takes precedence over a rule that derives a user role that may have a VLAN configured for it"

     

    What if we want to assign specific role to the user since user is authenticated based on MAC address or Captive Portal Internal Servers??



  • 2.  RE: VLAN / Role Assignment after Authentication

    Posted May 30, 2013 08:28 AM

    If you want to derive vlan or role before authentication, you use the User derivation rules. These rules can use the following for deriving vlan or role:

    • BSSID
    • ESSID
    • Location
    • User MAC
    • Encryption-type
    • DHCP opt 77

    If you wish to derive with the authentication, you should use the server derivation rules.

    There are a ton of conditions to test against, including MAC address or for example attributes returned a radius serverfrom during the authentication process.



  • 3.  RE: VLAN / Role Assignment after Authentication

    Posted Jun 03, 2013 04:24 AM
    Thanks for your response,

    Please note we don't have any external server available. How to configure server rules? please verify


  • 4.  RE: VLAN / Role Assignment after Authentication

    Posted Jun 03, 2013 08:06 AM
    If you want to specify a vlan, you'll need to use mac auth, as you typically can't change then vlan after the initial auth is completed (without something like Clearpass). When you do this, you can add roles into the mac accounts on the internal db, then specify a vlan within the role itself. Then just set the server group to derivate the roles from the account details.

    If you just want to specify a role, simply do the same thing, but omit the vlan number in the role.


  • 5.  RE: VLAN / Role Assignment after Authentication

    Posted Jun 05, 2013 02:15 AM
    I'm sorry but i don't understand you, my english isn't very good, my bad..

    Can you please provide me screenshots or some CLI configuration sample to understand the concept..

    Thank you so much for your support...


  • 6.  RE: VLAN / Role Assignment after Authentication

    Posted Jun 05, 2013 11:46 AM
    (controller) (config) #aaa derivation-rules user test
    (controller) (user-rule) #set ?
    role                    The action of the rule is to set to role
    vlan                    The action of the rule is to set to vlan
    
    (controller) (user-rule) #set role ?
    condition               Condition that should be checked to derive role/VLAN
    
    (controller) (user-rule) #set role condition ?
    bssid                   BSSID of access point
    dhcp-option             Enable DHCP option processing
    dhcp-option-77          Enable DHCP option 77 processing
    encryption-type         Encryption method used by station
    essid                   ESSID of access point
    location                user location (ap name)
    macaddr                 MAC address of user

     

     

    rule.png



  • 7.  RE: VLAN / Role Assignment after Authentication

    Posted Jun 10, 2013 03:21 AM
    Nice Info, Thank You