Cloud Managed Networks

 View Only
last person joined: 12 hours ago 

Forum to discuss all things related to HPE Aruba Networking Central and UXI Network Management, including deployment of managed networks, configuration, best practices, APIs, Cloud Guest, AIOps, Presence Analytics, and other included Applications
Expand all | Collapse all

central dynamic vlan assignment based on client role

This thread has been viewed 31 times
  • 1.  central dynamic vlan assignment based on client role

    Posted Jan 19, 2023 12:55 PM
    Hi all,

    I am configuring a wlan with enterprise authentication with dynamic vlan assignment based on client role and the the role is assigned by the Domain User Group.

    In wlan > VLANs
    I use Traffic forwarding mode = Bridge

    In wlans > Access
    I use Access rules = Roles Based with Rule Type = VLAN Assignment



    Please
    What should I use
    In wlan > VLANs
    as Client VLAN Assignment ??

    Should I use Dynamic? and what Attribute ?

    Thank you




  • 2.  RE: central dynamic vlan assignment based on client role

    EMPLOYEE
    Posted Jan 19, 2023 05:33 PM
    is the WLAN for dot1x auth or PSK?
    if its for dot1x auth, then you need a RADIUS server and that radius server can send Aruba VSA called aruba-user-role which should match the user-role that you can configure for the APs. Then that user-role can have VLAN assignment, ACLs, bandwidth contracts, etc.

    this is for your reference
    https://www.arubanetworks.com/techdocs/central/latest/content/aos10x/cfg/cfg-vlan-bridge.htm

    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------



  • 3.  RE: central dynamic vlan assignment based on client role

    Posted Jan 23, 2023 05:02 AM
    Hi,

    I use Microsoft Azure (on Cloud) as Radius Server, the authentication is working properly.

    Now I am working on vlan assignment


  • 4.  RE: central dynamic vlan assignment based on client role

    EMPLOYEE
    Posted Jan 23, 2023 05:11 PM
    if you got your RADIUS working then, you can send Aruba VSA attribute "Aruba-User-Role" which would match the user-role that you have configured for the IAPs and that user-role has a VLAN assignment.

    also note that you can use "Aruba-User-Vlan" attribute as well.

    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------



  • 5.  RE: central dynamic vlan assignment based on client role

    Posted Jan 25, 2023 04:15 AM

    Hi Ariyap,

    thank you for your answer.

    Please could you clarify me on what you use in wlan > VLANs, as Client VLAN Assignment ??

    Do you use Dynamic ?


    Thank you




  • 6.  RE: central dynamic vlan assignment based on client role

    Posted Jan 25, 2023 05:10 AM
    You can setup rules independent of authentication servers. For example you can use this in a PSK SSID to separate one MAC address or MAC vendor OUI into a different VLAN, without any RADIUS server.


    ------------------------------
    Thanks,
    Bjarne
    ------------------------------



  • 7.  RE: central dynamic vlan assignment based on client role

    Posted Jan 25, 2023 05:07 AM
    > also note that you can use "Aruba-User-Vlan" attribute as well.

    We wanted to do that with AOS10 tunneled WLAN, but the gateway logs the following when the Aruba-User-Vlan VSA is included in the Access-Accept:
    Jan 24 11:35:18 2023 :121003:  <3966> <ERRS> |radproxy| |aaa| Discarding unknown response from server

    without it the connection works.

    We are now testing the Aruba-User-Role VSA for tunneled AOS10.

    Do you know if there is a list of supported VSA for tunneled AOS10? I couldn't find one in the documentation.



    ------------------------------
    Thanks,
    Bjarne
    ------------------------------