Cloud Managed Networks

 View Only
last person joined: yesterday 

Forum to discuss all things Aruba Central and UXI Network Management, this includes Aruba Central managed networks, Central configuration, best practices, Central APIs, Cloud Guest, AIOps, Presence Analytics and Other Central Applications
Expand all | Collapse all

central dynamic vlan assignment based on client role

This thread has been viewed 20 times
  • 1.  central dynamic vlan assignment based on client role

    Posted 14 days ago
    Hi all,

    I am configuring a wlan with enterprise authentication with dynamic vlan assignment based on client role and the the role is assigned by the Domain User Group.

    In wlan > VLANs
    I use Traffic forwarding mode = Bridge

    In wlans > Access
    I use Access rules = Roles Based with Rule Type = VLAN Assignment



    Please
    What should I use
    In wlan > VLANs
    as Client VLAN Assignment ??

    Should I use Dynamic? and what Attribute ?

    Thank you




  • 2.  RE: central dynamic vlan assignment based on client role

    EMPLOYEE
    Posted 14 days ago
    is the WLAN for dot1x auth or PSK?
    if its for dot1x auth, then you need a RADIUS server and that radius server can send Aruba VSA called aruba-user-role which should match the user-role that you can configure for the APs. Then that user-role can have VLAN assignment, ACLs, bandwidth contracts, etc.

    this is for your reference
    https://www.arubanetworks.com/techdocs/central/latest/content/aos10x/cfg/cfg-vlan-bridge.htm

    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------



  • 3.  RE: central dynamic vlan assignment based on client role

    Posted 10 days ago
    Hi,

    I use Microsoft Azure (on Cloud) as Radius Server, the authentication is working properly.

    Now I am working on vlan assignment


  • 4.  RE: central dynamic vlan assignment based on client role

    EMPLOYEE
    Posted 10 days ago
    if you got your RADIUS working then, you can send Aruba VSA attribute "Aruba-User-Role" which would match the user-role that you have configured for the IAPs and that user-role has a VLAN assignment.

    also note that you can use "Aruba-User-Vlan" attribute as well.

    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------



  • 5.  RE: central dynamic vlan assignment based on client role

    Posted 8 days ago

    Hi Ariyap,

    thank you for your answer.

    Please could you clarify me on what you use in wlan > VLANs, as Client VLAN Assignment ??

    Do you use Dynamic ?


    Thank you




  • 6.  RE: central dynamic vlan assignment based on client role

    Posted 8 days ago
    You can setup rules independent of authentication servers. For example you can use this in a PSK SSID to separate one MAC address or MAC vendor OUI into a different VLAN, without any RADIUS server.


    ------------------------------
    Thanks,
    Bjarne
    ------------------------------



  • 7.  RE: central dynamic vlan assignment based on client role

    Posted 8 days ago
    > also note that you can use "Aruba-User-Vlan" attribute as well.

    We wanted to do that with AOS10 tunneled WLAN, but the gateway logs the following when the Aruba-User-Vlan VSA is included in the Access-Accept:
    Jan 24 11:35:18 2023 :121003:  <3966> <ERRS> |radproxy| |aaa| Discarding unknown response from server

    without it the connection works.

    We are now testing the Aruba-User-Role VSA for tunneled AOS10.

    Do you know if there is a list of supported VSA for tunneled AOS10? I couldn't find one in the documentation.



    ------------------------------
    Thanks,
    Bjarne
    ------------------------------