Wireless Access

Hello,
I configured a SSID with WPA2 + AES and 802.1x security on my IAP505 Aruba Acess Points
I have to use a external (don't manage by our team) radius server to authenticate my clients.
The problem is this radius is used by the other company to affect laptops on several Vlans
We don't have these vlans and just want to affect to a static one.

Question: how to force this SSID on a static vlan (and ignore the answer of the radius server) ?
Thanks

Pierrick

------------------------------
info subatech
------------------------------

I believe that could be dome through server rules in the authentication server group. I have not used that since before AOS8 though.

------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer
------------------------------

Original Message:
Sent: Apr 19, 2021 10:14 AM
From: info subatech
Subject: force static vlan

Hello,
I configured a SSID with WPA2 + AES and 802.1x security on my IAP505 Aruba Acess Points
I have to use a external (don't manage by our team) radius server to authenticate my clients.
The problem is this radius is used by the other company to affect laptops on several Vlans
We don't have these vlans and just want to affect to a static one.

Question: how to force this SSID on a static vlan (and ignore the answer of the radius server) ?
Thanks

Pierrick

------------------------------
info subatech
------------------------------

Therie is no "server group" notion with Aruba Instant 8.7

Pierrick

------------------------------
info subatech
------------------------------

Original Message:
Sent: Apr 20, 2021 07:39 AM
From: Bruce Osborne
Subject: force static vlan

I believe that could be dome through server rules in the authentication server group. I have not used that since before AOS8 though.

------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer

Original Message:
Sent: Apr 19, 2021 10:14 AM
From: info subatech
Subject: force static vlan

Hello,
I configured a SSID with WPA2 + AES and 802.1x security on my IAP505 Aruba Acess Points
I have to use a external (don't manage by our team) radius server to authenticate my clients.
The problem is this radius is used by the other company to affect laptops on several Vlans
We don't have these vlans and just want to affect to a static one.

Question: how to force this SSID on a static vlan (and ignore the answer of the radius server) ?
Thanks

Pierrick

------------------------------
info subatech
------------------------------

Sorry, I missed that this is Instant. I have not set up RADIUS authentication in Instant. RADIUS is usually used in large companies and Instant in very small ones.
What information is returned by the RADIUs server? If it is an Aruba user-role the IAP determines the VLAN.

if a VLAN name is returned perhaps VLAM mapping could map that name to a VLAN id.


------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer
------------------------------

Original Message:
Sent: Apr 20, 2021 07:52 AM
From: info subatech
Subject: force static vlan

Therie is no "server group" notion with Aruba Instant 8.7

Pierrick

------------------------------
info subatech

Original Message:
Sent: Apr 20, 2021 07:39 AM
From: Bruce Osborne
Subject: force static vlan

I believe that could be dome through server rules in the authentication server group. I have not used that since before AOS8 though.

------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer

Original Message:
Sent: Apr 19, 2021 10:14 AM
From: info subatech
Subject: force static vlan

Hello,
I configured a SSID with WPA2 + AES and 802.1x security on my IAP505 Aruba Acess Points
I have to use a external (don't manage by our team) radius server to authenticate my clients.
The problem is this radius is used by the other company to affect laptops on several Vlans
We don't have these vlans and just want to affect to a static one.

Question: how to force this SSID on a static vlan (and ignore the answer of the radius server) ?
Thanks

Pierrick

------------------------------
info subatech
------------------------------

IAP is enough for our 3 buildings (-;
External Radius answer is a Vlan. But as I said before we don't have such Vlans
I tried to map any of the answers with Tunnel-private-group-id not equals to 99999 to our Vlan.
But it didn't work anymore ...

Pierrick


------------------------------
info subatech
------------------------------

Original Message:
Sent: Apr 20, 2021 08:01 AM
From: Bruce Osborne
Subject: force static vlan

Sorry, I missed that this is Instant. I have not set up RADIUS authentication in Instant. RADIUS is usually used in large companies and Instant in very small ones.
What information is returned by the RADIUs server? If it is an Aruba user-role the IAP determines the VLAN.

if a VLAN name is returned perhaps VLAM mapping could map that name to a VLAN id.


------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer

Original Message:
Sent: Apr 20, 2021 07:52 AM
From: info subatech
Subject: force static vlan

Therie is no "server group" notion with Aruba Instant 8.7

Pierrick

------------------------------
info subatech

Original Message:
Sent: Apr 20, 2021 07:39 AM
From: Bruce Osborne
Subject: force static vlan

I believe that could be dome through server rules in the authentication server group. I have not used that since before AOS8 though.

------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer

Original Message:
Sent: Apr 19, 2021 10:14 AM
From: info subatech
Subject: force static vlan

Hello,
I configured a SSID with WPA2 + AES and 802.1x security on my IAP505 Aruba Acess Points
I have to use a external (don't manage by our team) radius server to authenticate my clients.
The problem is this radius is used by the other company to affect laptops on several Vlans
We don't have these vlans and just want to affect to a static one.

Question: how to force this SSID on a static vlan (and ignore the answer of the radius server) ?
Thanks

Pierrick

------------------------------
info subatech
------------------------------

What exactly does it return? There is no RADIUS attribute for VLAN Id. One generic way is to use filter-id.

Some wired switched use a different group of IETF attributes. Here for our Cisco switches we return a VLAN name





Your Aruba SE or VAR should be able to assist.

------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer
------------------------------

Original Message:
Sent: Apr 20, 2021 08:13 AM
From: info subatech
Subject: force static vlan

IAP is enough for our 3 buildings (-;
External Radius answer is a Vlan. But as I said before we don't have such Vlans
I tried to map any of the answers with Tunnel-private-group-id not equals to 99999 to our Vlan.
But it didn't work anymore ...

Pierrick


------------------------------
info subatech

Original Message:
Sent: Apr 20, 2021 08:01 AM
From: Bruce Osborne
Subject: force static vlan

Sorry, I missed that this is Instant. I have not set up RADIUS authentication in Instant. RADIUS is usually used in large companies and Instant in very small ones.
What information is returned by the RADIUs server? If it is an Aruba user-role the IAP determines the VLAN.

if a VLAN name is returned perhaps VLAM mapping could map that name to a VLAN id.


------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer

Original Message:
Sent: Apr 20, 2021 07:52 AM
From: info subatech
Subject: force static vlan

Therie is no "server group" notion with Aruba Instant 8.7

Pierrick

------------------------------
info subatech

Original Message:
Sent: Apr 20, 2021 07:39 AM
From: Bruce Osborne
Subject: force static vlan

I believe that could be dome through server rules in the authentication server group. I have not used that since before AOS8 though.

------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer

Original Message:
Sent: Apr 19, 2021 10:14 AM
From: info subatech
Subject: force static vlan

Hello,
I configured a SSID with WPA2 + AES and 802.1x security on my IAP505 Aruba Acess Points
I have to use a external (don't manage by our team) radius server to authenticate my clients.
The problem is this radius is used by the other company to affect laptops on several Vlans
We don't have these vlans and just want to affect to a static one.

Question: how to force this SSID on a static vlan (and ignore the answer of the radius server) ?
Thanks

Pierrick

------------------------------
info subatech
------------------------------

The "Tunnel-private-group-id" response is given by the external Radius server. The other company use it for the vlan assignement.

Pierrick

------------------------------
info subatech
------------------------------

Original Message:
Sent: Apr 20, 2021 08:22 AM
From: Bruce Osborne
Subject: force static vlan

What exactly does it return? There is no RADIUS attribute for VLAN Id. One generic way is to use filter-id.

Some wired switched use a different group of IETF attributes. Here for our Cisco switches we return a VLAN name





Your Aruba SE or VAR should be able to assist.

------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer

Original Message:
Sent: Apr 20, 2021 08:13 AM
From: info subatech
Subject: force static vlan

IAP is enough for our 3 buildings (-;
External Radius answer is a Vlan. But as I said before we don't have such Vlans
I tried to map any of the answers with Tunnel-private-group-id not equals to 99999 to our Vlan.
But it didn't work anymore ...

Pierrick


------------------------------
info subatech

Original Message:
Sent: Apr 20, 2021 08:01 AM
From: Bruce Osborne
Subject: force static vlan

Sorry, I missed that this is Instant. I have not set up RADIUS authentication in Instant. RADIUS is usually used in large companies and Instant in very small ones.
What information is returned by the RADIUs server? If it is an Aruba user-role the IAP determines the VLAN.

if a VLAN name is returned perhaps VLAM mapping could map that name to a VLAN id.


------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer

Original Message:
Sent: Apr 20, 2021 07:52 AM
From: info subatech
Subject: force static vlan

Therie is no "server group" notion with Aruba Instant 8.7

Pierrick

------------------------------
info subatech

Original Message:
Sent: Apr 20, 2021 07:39 AM
From: Bruce Osborne
Subject: force static vlan

I believe that could be dome through server rules in the authentication server group. I have not used that since before AOS8 though.

------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer

Original Message:
Sent: Apr 19, 2021 10:14 AM
From: info subatech
Subject: force static vlan

Hello,
I configured a SSID with WPA2 + AES and 802.1x security on my IAP505 Aruba Acess Points
I have to use a external (don't manage by our team) radius server to authenticate my clients.
The problem is this radius is used by the other company to affect laptops on several Vlans
We don't have these vlans and just want to affect to a static one.

Question: how to force this SSID on a static vlan (and ignore the answer of the radius server) ?
Thanks

Pierrick

------------------------------
info subatech
------------------------------

Do they supply a VLAN Name or ID? As previously stated, if a name perhaps you can use VLAN mapping.

------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer
------------------------------

Original Message:
Sent: Apr 20, 2021 08:40 AM
From: info subatech
Subject: force static vlan

The "Tunnel-private-group-id" response is given by the external Radius server. The other company use it for the vlan assignement.

Pierrick

------------------------------
info subatech

Original Message:
Sent: Apr 20, 2021 08:22 AM
From: Bruce Osborne
Subject: force static vlan

What exactly does it return? There is no RADIUS attribute for VLAN Id. One generic way is to use filter-id.

Some wired switched use a different group of IETF attributes. Here for our Cisco switches we return a VLAN name





Your Aruba SE or VAR should be able to assist.

------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer

Original Message:
Sent: Apr 20, 2021 08:13 AM
From: info subatech
Subject: force static vlan

IAP is enough for our 3 buildings (-;
External Radius answer is a Vlan. But as I said before we don't have such Vlans
I tried to map any of the answers with Tunnel-private-group-id not equals to 99999 to our Vlan.
But it didn't work anymore ...

Pierrick


------------------------------
info subatech

Original Message:
Sent: Apr 20, 2021 08:01 AM
From: Bruce Osborne
Subject: force static vlan

Sorry, I missed that this is Instant. I have not set up RADIUS authentication in Instant. RADIUS is usually used in large companies and Instant in very small ones.
What information is returned by the RADIUs server? If it is an Aruba user-role the IAP determines the VLAN.

if a VLAN name is returned perhaps VLAM mapping could map that name to a VLAN id.


------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer

Original Message:
Sent: Apr 20, 2021 07:52 AM
From: info subatech
Subject: force static vlan

Therie is no "server group" notion with Aruba Instant 8.7

Pierrick

------------------------------
info subatech

Original Message:
Sent: Apr 20, 2021 07:39 AM
From: Bruce Osborne
Subject: force static vlan

I believe that could be dome through server rules in the authentication server group. I have not used that since before AOS8 though.

------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer

Original Message:
Sent: Apr 19, 2021 10:14 AM
From: info subatech
Subject: force static vlan

Hello,
I configured a SSID with WPA2 + AES and 802.1x security on my IAP505 Aruba Acess Points
I have to use a external (don't manage by our team) radius server to authenticate my clients.
The problem is this radius is used by the other company to affect laptops on several Vlans
We don't have these vlans and just want to affect to a static one.

Question: how to force this SSID on a static vlan (and ignore the answer of the radius server) ?
Thanks

Pierrick

------------------------------
info subatech
------------------------------

unfortunately, it's just the vlan's ID )-:
Pierrick

------------------------------
info subatech
------------------------------

Original Message:
Sent: Apr 20, 2021 09:50 AM
From: Bruce Osborne
Subject: force static vlan

Do they supply a VLAN Name or ID? As previously stated, if a name perhaps you can use VLAN mapping.

------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer

Original Message:
Sent: Apr 20, 2021 08:40 AM
From: info subatech
Subject: force static vlan

The "Tunnel-private-group-id" response is given by the external Radius server. The other company use it for the vlan assignement.

Pierrick

------------------------------
info subatech

Original Message:
Sent: Apr 20, 2021 08:22 AM
From: Bruce Osborne
Subject: force static vlan

What exactly does it return? There is no RADIUS attribute for VLAN Id. One generic way is to use filter-id.

Some wired switched use a different group of IETF attributes. Here for our Cisco switches we return a VLAN name





Your Aruba SE or VAR should be able to assist.

------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer

Original Message:
Sent: Apr 20, 2021 08:13 AM
From: info subatech
Subject: force static vlan

IAP is enough for our 3 buildings (-;
External Radius answer is a Vlan. But as I said before we don't have such Vlans
I tried to map any of the answers with Tunnel-private-group-id not equals to 99999 to our Vlan.
But it didn't work anymore ...

Pierrick


------------------------------
info subatech

Original Message:
Sent: Apr 20, 2021 08:01 AM
From: Bruce Osborne
Subject: force static vlan

Sorry, I missed that this is Instant. I have not set up RADIUS authentication in Instant. RADIUS is usually used in large companies and Instant in very small ones.
What information is returned by the RADIUs server? If it is an Aruba user-role the IAP determines the VLAN.

if a VLAN name is returned perhaps VLAM mapping could map that name to a VLAN id.


------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer

Original Message:
Sent: Apr 20, 2021 07:52 AM
From: info subatech
Subject: force static vlan

Therie is no "server group" notion with Aruba Instant 8.7

Pierrick

------------------------------
info subatech

Original Message:
Sent: Apr 20, 2021 07:39 AM
From: Bruce Osborne
Subject: force static vlan

I believe that could be dome through server rules in the authentication server group. I have not used that since before AOS8 though.

------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer

Original Message:
Sent: Apr 19, 2021 10:14 AM
From: info subatech
Subject: force static vlan

Hello,
I configured a SSID with WPA2 + AES and 802.1x security on my IAP505 Aruba Acess Points
I have to use a external (don't manage by our team) radius server to authenticate my clients.
The problem is this radius is used by the other company to affect laptops on several Vlans
We don't have these vlans and just want to affect to a static one.

Question: how to force this SSID on a static vlan (and ignore the answer of the radius server) ?
Thanks

Pierrick

------------------------------
info subatech
------------------------------

What might be worth a try is to set a static VLAN on the network SSID..



------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer
------------------------------

Original Message:
Sent: Apr 20, 2021 09:57 AM
From: info subatech
Subject: force static vlan

unfortunately, it's just the vlan's ID )-:
Pierrick

------------------------------
info subatech

Original Message:
Sent: Apr 20, 2021 09:50 AM
From: Bruce Osborne
Subject: force static vlan

Do they supply a VLAN Name or ID? As previously stated, if a name perhaps you can use VLAN mapping.

------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer

Original Message:
Sent: Apr 20, 2021 08:40 AM
From: info subatech
Subject: force static vlan

The "Tunnel-private-group-id" response is given by the external Radius server. The other company use it for the vlan assignement.

Pierrick

------------------------------
info subatech

Original Message:
Sent: Apr 20, 2021 08:22 AM
From: Bruce Osborne
Subject: force static vlan

What exactly does it return? There is no RADIUS attribute for VLAN Id. One generic way is to use filter-id.

Some wired switched use a different group of IETF attributes. Here for our Cisco switches we return a VLAN name





Your Aruba SE or VAR should be able to assist.

------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer

Original Message:
Sent: Apr 20, 2021 08:13 AM
From: info subatech
Subject: force static vlan

IAP is enough for our 3 buildings (-;
External Radius answer is a Vlan. But as I said before we don't have such Vlans
I tried to map any of the answers with Tunnel-private-group-id not equals to 99999 to our Vlan.
But it didn't work anymore ...

Pierrick


------------------------------
info subatech

Original Message:
Sent: Apr 20, 2021 08:01 AM
From: Bruce Osborne
Subject: force static vlan

Sorry, I missed that this is Instant. I have not set up RADIUS authentication in Instant. RADIUS is usually used in large companies and Instant in very small ones.
What information is returned by the RADIUs server? If it is an Aruba user-role the IAP determines the VLAN.

if a VLAN name is returned perhaps VLAM mapping could map that name to a VLAN id.


------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer

Original Message:
Sent: Apr 20, 2021 07:52 AM
From: info subatech
Subject: force static vlan

Therie is no "server group" notion with Aruba Instant 8.7

Pierrick

------------------------------
info subatech

Original Message:
Sent: Apr 20, 2021 07:39 AM
From: Bruce Osborne
Subject: force static vlan

I believe that could be dome through server rules in the authentication server group. I have not used that since before AOS8 though.

------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer

Original Message:
Sent: Apr 19, 2021 10:14 AM
From: info subatech
Subject: force static vlan

Hello,
I configured a SSID with WPA2 + AES and 802.1x security on my IAP505 Aruba Acess Points
I have to use a external (don't manage by our team) radius server to authenticate my clients.
The problem is this radius is used by the other company to affect laptops on several Vlans
We don't have these vlans and just want to affect to a static one.

Question: how to force this SSID on a static vlan (and ignore the answer of the radius server) ?
Thanks

Pierrick

------------------------------
info subatech
------------------------------

Of course, this was the first thing I do. But the Radius Response is stronger (-;
Pierrick

------------------------------
info subatech
------------------------------

Original Message:
Sent: Apr 20, 2021 10:03 AM
From: Bruce Osborne
Subject: force static vlan

What might be worth a try is to set a static VLAN on the network SSID..



------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer

Original Message:
Sent: Apr 20, 2021 09:57 AM
From: info subatech
Subject: force static vlan

unfortunately, it's just the vlan's ID )-:
Pierrick

------------------------------
info subatech

Original Message:
Sent: Apr 20, 2021 09:50 AM
From: Bruce Osborne
Subject: force static vlan

Do they supply a VLAN Name or ID? As previously stated, if a name perhaps you can use VLAN mapping.

------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer

Original Message:
Sent: Apr 20, 2021 08:40 AM
From: info subatech
Subject: force static vlan

The "Tunnel-private-group-id" response is given by the external Radius server. The other company use it for the vlan assignement.

Pierrick

------------------------------
info subatech

Original Message:
Sent: Apr 20, 2021 08:22 AM
From: Bruce Osborne
Subject: force static vlan

What exactly does it return? There is no RADIUS attribute for VLAN Id. One generic way is to use filter-id.

Some wired switched use a different group of IETF attributes. Here for our Cisco switches we return a VLAN name





Your Aruba SE or VAR should be able to assist.

------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer

Original Message:
Sent: Apr 20, 2021 08:13 AM
From: info subatech
Subject: force static vlan

IAP is enough for our 3 buildings (-;
External Radius answer is a Vlan. But as I said before we don't have such Vlans
I tried to map any of the answers with Tunnel-private-group-id not equals to 99999 to our Vlan.
But it didn't work anymore ...

Pierrick


------------------------------
info subatech

Original Message:
Sent: Apr 20, 2021 08:01 AM
From: Bruce Osborne
Subject: force static vlan

Sorry, I missed that this is Instant. I have not set up RADIUS authentication in Instant. RADIUS is usually used in large companies and Instant in very small ones.
What information is returned by the RADIUs server? If it is an Aruba user-role the IAP determines the VLAN.

if a VLAN name is returned perhaps VLAM mapping could map that name to a VLAN id.


------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer

Original Message:
Sent: Apr 20, 2021 07:52 AM
From: info subatech
Subject: force static vlan

Therie is no "server group" notion with Aruba Instant 8.7

Pierrick

------------------------------
info subatech

Original Message:
Sent: Apr 20, 2021 07:39 AM
From: Bruce Osborne
Subject: force static vlan

I believe that could be dome through server rules in the authentication server group. I have not used that since before AOS8 though.

------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer

Original Message:
Sent: Apr 19, 2021 10:14 AM
From: info subatech
Subject: force static vlan

Hello,
I configured a SSID with WPA2 + AES and 802.1x security on my IAP505 Aruba Acess Points
I have to use a external (don't manage by our team) radius server to authenticate my clients.
The problem is this radius is used by the other company to affect laptops on several Vlans
We don't have these vlans and just want to affect to a static one.

Question: how to force this SSID on a static vlan (and ignore the answer of the radius server) ?
Thanks

Pierrick

------------------------------
info subatech
------------------------------

Sorry ,I have not used RADIUS servers with IAP.

The only way I can think of is to set up your own RADIUS server (FreeRADIUS perhaps?), proxy the authentication to the corporate RADIUS servers but set the authorization to the desired VLAN ID.

------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer
------------------------------

Original Message:
Sent: Apr 20, 2021 10:15 AM
From: info subatech
Subject: force static vlan

Of course, this was the first thing I do. But the Radius Response is stronger (-;
Pierrick

------------------------------
info subatech

Original Message:
Sent: Apr 20, 2021 10:03 AM
From: Bruce Osborne
Subject: force static vlan

What might be worth a try is to set a static VLAN on the network SSID..



------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer

Original Message:
Sent: Apr 20, 2021 09:57 AM
From: info subatech
Subject: force static vlan

unfortunately, it's just the vlan's ID )-:
Pierrick

------------------------------
info subatech

Original Message:
Sent: Apr 20, 2021 09:50 AM
From: Bruce Osborne
Subject: force static vlan

Do they supply a VLAN Name or ID? As previously stated, if a name perhaps you can use VLAN mapping.

------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer

Original Message:
Sent: Apr 20, 2021 08:40 AM
From: info subatech
Subject: force static vlan

The "Tunnel-private-group-id" response is given by the external Radius server. The other company use it for the vlan assignement.

Pierrick

------------------------------
info subatech

Original Message:
Sent: Apr 20, 2021 08:22 AM
From: Bruce Osborne
Subject: force static vlan

What exactly does it return? There is no RADIUS attribute for VLAN Id. One generic way is to use filter-id.

Some wired switched use a different group of IETF attributes. Here for our Cisco switches we return a VLAN name





Your Aruba SE or VAR should be able to assist.

------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer

Original Message:
Sent: Apr 20, 2021 08:13 AM
From: info subatech
Subject: force static vlan

IAP is enough for our 3 buildings (-;
External Radius answer is a Vlan. But as I said before we don't have such Vlans
I tried to map any of the answers with Tunnel-private-group-id not equals to 99999 to our Vlan.
But it didn't work anymore ...

Pierrick


------------------------------
info subatech

Original Message:
Sent: Apr 20, 2021 08:01 AM
From: Bruce Osborne
Subject: force static vlan

Sorry, I missed that this is Instant. I have not set up RADIUS authentication in Instant. RADIUS is usually used in large companies and Instant in very small ones.
What information is returned by the RADIUs server? If it is an Aruba user-role the IAP determines the VLAN.

if a VLAN name is returned perhaps VLAM mapping could map that name to a VLAN id.


------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer

Original Message:
Sent: Apr 20, 2021 07:52 AM
From: info subatech
Subject: force static vlan

Therie is no "server group" notion with Aruba Instant 8.7

Pierrick

------------------------------
info subatech

Original Message:
Sent: Apr 20, 2021 07:39 AM
From: Bruce Osborne
Subject: force static vlan

I believe that could be dome through server rules in the authentication server group. I have not used that since before AOS8 though.

------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer

Original Message:
Sent: Apr 19, 2021 10:14 AM
From: info subatech
Subject: force static vlan

Hello,
I configured a SSID with WPA2 + AES and 802.1x security on my IAP505 Aruba Acess Points
I have to use a external (don't manage by our team) radius server to authenticate my clients.
The problem is this radius is used by the other company to affect laptops on several Vlans
We don't have these vlans and just want to affect to a static one.

Question: how to force this SSID on a static vlan (and ignore the answer of the radius server) ?
Thanks

Pierrick

------------------------------
info subatech
------------------------------

I'm thinking at proxy Radius Server as a final solution.
It's too bad that IAP can't do this directly !

Thanks a lot for your help
Pierrick

------------------------------
info subatech
------------------------------

Original Message:
Sent: Apr 20, 2021 10:20 AM
From: Bruce Osborne
Subject: force static vlan

Sorry ,I have not used RADIUS servers with IAP.

The only way I can think of is to set up your own RADIUS server (FreeRADIUS perhaps?), proxy the authentication to the corporate RADIUS servers but set the authorization to the desired VLAN ID.

------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer

Original Message:
Sent: Apr 20, 2021 10:15 AM
From: info subatech
Subject: force static vlan

Of course, this was the first thing I do. But the Radius Response is stronger (-;
Pierrick

------------------------------
info subatech

Original Message:
Sent: Apr 20, 2021 10:03 AM
From: Bruce Osborne
Subject: force static vlan

What might be worth a try is to set a static VLAN on the network SSID..



------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer

Original Message:
Sent: Apr 20, 2021 09:57 AM
From: info subatech
Subject: force static vlan

unfortunately, it's just the vlan's ID )-:
Pierrick

------------------------------
info subatech

Original Message:
Sent: Apr 20, 2021 09:50 AM
From: Bruce Osborne
Subject: force static vlan

Do they supply a VLAN Name or ID? As previously stated, if a name perhaps you can use VLAN mapping.

------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer

Original Message:
Sent: Apr 20, 2021 08:40 AM
From: info subatech
Subject: force static vlan

The "Tunnel-private-group-id" response is given by the external Radius server. The other company use it for the vlan assignement.

Pierrick

------------------------------
info subatech

Original Message:
Sent: Apr 20, 2021 08:22 AM
From: Bruce Osborne
Subject: force static vlan

What exactly does it return? There is no RADIUS attribute for VLAN Id. One generic way is to use filter-id.

Some wired switched use a different group of IETF attributes. Here for our Cisco switches we return a VLAN name





Your Aruba SE or VAR should be able to assist.

------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer

Original Message:
Sent: Apr 20, 2021 08:13 AM
From: info subatech
Subject: force static vlan

IAP is enough for our 3 buildings (-;
External Radius answer is a Vlan. But as I said before we don't have such Vlans
I tried to map any of the answers with Tunnel-private-group-id not equals to 99999 to our Vlan.
But it didn't work anymore ...

Pierrick


------------------------------
info subatech

Original Message:
Sent: Apr 20, 2021 08:01 AM
From: Bruce Osborne
Subject: force static vlan

Sorry, I missed that this is Instant. I have not set up RADIUS authentication in Instant. RADIUS is usually used in large companies and Instant in very small ones.
What information is returned by the RADIUs server? If it is an Aruba user-role the IAP determines the VLAN.

if a VLAN name is returned perhaps VLAM mapping could map that name to a VLAN id.


------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer

Original Message:
Sent: Apr 20, 2021 07:52 AM
From: info subatech
Subject: force static vlan

Therie is no "server group" notion with Aruba Instant 8.7

Pierrick

------------------------------
info subatech

Original Message:
Sent: Apr 20, 2021 07:39 AM
From: Bruce Osborne
Subject: force static vlan

I believe that could be dome through server rules in the authentication server group. I have not used that since before AOS8 though.

------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer

Original Message:
Sent: Apr 19, 2021 10:14 AM
From: info subatech
Subject: force static vlan

Hello,
I configured a SSID with WPA2 + AES and 802.1x security on my IAP505 Aruba Acess Points
I have to use a external (don't manage by our team) radius server to authenticate my clients.
The problem is this radius is used by the other company to affect laptops on several Vlans
We don't have these vlans and just want to affect to a static one.

Question: how to force this SSID on a static vlan (and ignore the answer of the radius server) ?
Thanks

Pierrick

------------------------------
info subatech
------------------------------

You may try if the following will work with Dynamic VLAN assignment:


------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------

Original Message:
Sent: Apr 20, 2021 10:38 AM
From: info subatech
Subject: force static vlan

I'm thinking at proxy Radius Server as a final solution.
It's too bad that IAP can't do this directly !

Thanks a lot for your help
Pierrick

------------------------------
info subatech

Original Message:
Sent: Apr 20, 2021 10:20 AM
From: Bruce Osborne
Subject: force static vlan

Sorry ,I have not used RADIUS servers with IAP.

The only way I can think of is to set up your own RADIUS server (FreeRADIUS perhaps?), proxy the authentication to the corporate RADIUS servers but set the authorization to the desired VLAN ID.

------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer

Original Message:
Sent: Apr 20, 2021 10:15 AM
From: info subatech
Subject: force static vlan

Of course, this was the first thing I do. But the Radius Response is stronger (-;
Pierrick

------------------------------
info subatech

Original Message:
Sent: Apr 20, 2021 10:03 AM
From: Bruce Osborne
Subject: force static vlan

What might be worth a try is to set a static VLAN on the network SSID..



------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer

Original Message:
Sent: Apr 20, 2021 09:57 AM
From: info subatech
Subject: force static vlan

unfortunately, it's just the vlan's ID )-:
Pierrick

------------------------------
info subatech

Original Message:
Sent: Apr 20, 2021 09:50 AM
From: Bruce Osborne
Subject: force static vlan

Do they supply a VLAN Name or ID? As previously stated, if a name perhaps you can use VLAN mapping.

------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer

Original Message:
Sent: Apr 20, 2021 08:40 AM
From: info subatech
Subject: force static vlan

The "Tunnel-private-group-id" response is given by the external Radius server. The other company use it for the vlan assignement.

Pierrick

------------------------------
info subatech

Original Message:
Sent: Apr 20, 2021 08:22 AM
From: Bruce Osborne
Subject: force static vlan

What exactly does it return? There is no RADIUS attribute for VLAN Id. One generic way is to use filter-id.

Some wired switched use a different group of IETF attributes. Here for our Cisco switches we return a VLAN name





Your Aruba SE or VAR should be able to assist.

------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer

Original Message:
Sent: Apr 20, 2021 08:13 AM
From: info subatech
Subject: force static vlan

IAP is enough for our 3 buildings (-;
External Radius answer is a Vlan. But as I said before we don't have such Vlans
I tried to map any of the answers with Tunnel-private-group-id not equals to 99999 to our Vlan.
But it didn't work anymore ...

Pierrick


------------------------------
info subatech

Original Message:
Sent: Apr 20, 2021 08:01 AM
From: Bruce Osborne
Subject: force static vlan

Sorry, I missed that this is Instant. I have not set up RADIUS authentication in Instant. RADIUS is usually used in large companies and Instant in very small ones.
What information is returned by the RADIUs server? If it is an Aruba user-role the IAP determines the VLAN.

if a VLAN name is returned perhaps VLAM mapping could map that name to a VLAN id.


------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer

Original Message:
Sent: Apr 20, 2021 07:52 AM
From: info subatech
Subject: force static vlan

Therie is no "server group" notion with Aruba Instant 8.7

Pierrick

------------------------------
info subatech

Original Message:
Sent: Apr 20, 2021 07:39 AM
From: Bruce Osborne
Subject: force static vlan

I believe that could be dome through server rules in the authentication server group. I have not used that since before AOS8 though.

------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer

Original Message:
Sent: Apr 19, 2021 10:14 AM
From: info subatech
Subject: force static vlan

Hello,
I configured a SSID with WPA2 + AES and 802.1x security on my IAP505 Aruba Acess Points
I have to use a external (don't manage by our team) radius server to authenticate my clients.
The problem is this radius is used by the other company to affect laptops on several Vlans
We don't have these vlans and just want to affect to a static one.

Question: how to force this SSID on a static vlan (and ignore the answer of the radius server) ?
Thanks

Pierrick

------------------------------
info subatech
------------------------------

I tried this too. Unfortunately, it didn't work.
Maybe it's a bug from IAP 8.7.1.3. My Aruba Partner will open a ticket about this

Cheers
Pierrick

------------------------------
info subatech
------------------------------

Original Message:
Sent: Apr 26, 2021 06:18 AM
From: Herman Robers
Subject: force static vlan

You may try if the following will work with Dynamic VLAN assignment:

Did not try myself, but it may work. It's checking that the VLAN ID is not 9999 (which is never the case as that VLAN number does not exist).

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Apr 20, 2021 10:38 AM
From: info subatech
Subject: force static vlan

I'm thinking at proxy Radius Server as a final solution.
It's too bad that IAP can't do this directly !

Thanks a lot for your help
Pierrick

------------------------------
info subatech

Original Message:
Sent: Apr 20, 2021 10:20 AM
From: Bruce Osborne
Subject: force static vlan

Sorry ,I have not used RADIUS servers with IAP.

The only way I can think of is to set up your own RADIUS server (FreeRADIUS perhaps?), proxy the authentication to the corporate RADIUS servers but set the authorization to the desired VLAN ID.

------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer

Original Message:
Sent: Apr 20, 2021 10:15 AM
From: info subatech
Subject: force static vlan

Of course, this was the first thing I do. But the Radius Response is stronger (-;
Pierrick

------------------------------
info subatech

Original Message:
Sent: Apr 20, 2021 10:03 AM
From: Bruce Osborne
Subject: force static vlan

What might be worth a try is to set a static VLAN on the network SSID..



------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer

Original Message:
Sent: Apr 20, 2021 09:57 AM
From: info subatech
Subject: force static vlan

unfortunately, it's just the vlan's ID )-:
Pierrick

------------------------------
info subatech

Original Message:
Sent: Apr 20, 2021 09:50 AM
From: Bruce Osborne
Subject: force static vlan

Do they supply a VLAN Name or ID? As previously stated, if a name perhaps you can use VLAN mapping.

------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer

Original Message:
Sent: Apr 20, 2021 08:40 AM
From: info subatech
Subject: force static vlan

The "Tunnel-private-group-id" response is given by the external Radius server. The other company use it for the vlan assignement.

Pierrick

------------------------------
info subatech

Original Message:
Sent: Apr 20, 2021 08:22 AM
From: Bruce Osborne
Subject: force static vlan

What exactly does it return? There is no RADIUS attribute for VLAN Id. One generic way is to use filter-id.

Some wired switched use a different group of IETF attributes. Here for our Cisco switches we return a VLAN name





Your Aruba SE or VAR should be able to assist.

------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer

Original Message:
Sent: Apr 20, 2021 08:13 AM
From: info subatech
Subject: force static vlan

IAP is enough for our 3 buildings (-;
External Radius answer is a Vlan. But as I said before we don't have such Vlans
I tried to map any of the answers with Tunnel-private-group-id not equals to 99999 to our Vlan.
But it didn't work anymore ...

Pierrick


------------------------------
info subatech

Original Message:
Sent: Apr 20, 2021 08:01 AM
From: Bruce Osborne
Subject: force static vlan

Sorry, I missed that this is Instant. I have not set up RADIUS authentication in Instant. RADIUS is usually used in large companies and Instant in very small ones.
What information is returned by the RADIUs server? If it is an Aruba user-role the IAP determines the VLAN.

if a VLAN name is returned perhaps VLAM mapping could map that name to a VLAN id.


------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer

Original Message:
Sent: Apr 20, 2021 07:52 AM
From: info subatech
Subject: force static vlan

Therie is no "server group" notion with Aruba Instant 8.7

Pierrick

------------------------------
info subatech

Original Message:
Sent: Apr 20, 2021 07:39 AM
From: Bruce Osborne
Subject: force static vlan

I believe that could be dome through server rules in the authentication server group. I have not used that since before AOS8 though.

------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer

Original Message:
Sent: Apr 19, 2021 10:14 AM
From: info subatech
Subject: force static vlan

Hello,
I configured a SSID with WPA2 + AES and 802.1x security on my IAP505 Aruba Acess Points
I have to use a external (don't manage by our team) radius server to authenticate my clients.
The problem is this radius is used by the other company to affect laptops on several Vlans
We don't have these vlans and just want to affect to a static one.

Question: how to force this SSID on a static vlan (and ignore the answer of the radius server) ?
Thanks

Pierrick

------------------------------
info subatech
------------------------------