User roles would indeed be the way to do this... good that you found that.
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Jul 08, 2024 05:17 AM
From: chris.nottenkaemper
Subject: Aruba IAP - dot1x tagged / untagged vlan
Couldn't get it really to work. I used local user roles instead now. This works fine for me.
The NPS is now just sending the VSA and the switch assigns the role to the port.
Thanks again for your time.
VSA config in NPS:
Vendor Code: 14823
Attribute Number: 1
Format: String
Value: rolename
Switch config:
port-access role rolename
vlan trunk native ID
vlan trunk allowed ID1,ID2,ID3
auth-mode device-mode
Best Regards
Chris
Original Message:
Sent: Jul 08, 2024 03:17 AM
From: chris.nottenkaemper
Subject: Aruba IAP - dot1x tagged / untagged vlan
Hi Jonas,
thanks alot for your response. I will test it and send a feedback in this thread. :)
Best Regards
Chris
Original Message:
Sent: Jul 05, 2024 11:32 AM
From: jonas.hammarback
Subject: Aruba IAP - dot1x tagged / untagged vlan
Hi Chris
I have never configured this on CX without ClearPass and Downloadable User Roles. But I found this:
https://www.arubanetworks.com/techdocs/AOS-S/16.10/ASG/KB/content/asg%20kb/tag-untag-vla-att.htm
Maybe it can guide you.
The link below is for AOS switches, if someone needs the informaiton on this switch family:
https://community.arubanetworks.com/community-home/librarydocuments/viewdocument?DocumentKey=98535679-1bba-4952-9e00-cffd2638487d&CommunityKey=2fd943a6-8898-4dbe-915f-4f09e4d3c317&tab=librarydocuments
------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
Original Message:
Sent: Jul 05, 2024 06:00 AM
From: chris.nottenkaemper
Subject: Aruba IAP - dot1x tagged / untagged vlan
Hello together,
I need an advice how to approach this the best practice way.
I have the following sceneraio.
We ar currently implementing NAC for our network.
I've configured aaa dot1x on out CX switch and recieve policies for our clients. (which vlan is assigned and so on)
Now I want to do the same with our WiFi.
I want the AccessPoint to authenticate on the switch like the clients and the clients authenticate over the AccessPoint.
I wanted to use auth-mode device-mode for this case. So far so good.
But we use different VLANs for our users and I need to assign tagged vlans to an authenticated AccessPoint.
Currently I can't find the correct RADIUS Attributes or VSAs for this. I'm only able to assign one untagged vlan for the AccessPoint, but the Clients get a different VLAN in the SSID.
Do you know how to solve this. We are currently using Microsoft NPS as RADIUS solution (maybe ClearPass in the future).
If someone has an advice for me, it would be great. :)
Thanks alot in advance.
Best Regards
Chris