Cloud Managed Networks

 View Only
  • 1.  central dynamic vlan assignment based on client role

    Posted Jan 19, 2023 12:55 PM
    Hi all,

    I am configuring a wlan with enterprise authentication with dynamic vlan assignment based on client role and the the role is assigned by the Domain User Group.

    In wlan > VLANs
    I use Traffic forwarding mode = Bridge

    In wlans > Access
    I use Access rules = Roles Based with Rule Type = VLAN Assignment



    Please
    What should I use
    In wlan > VLANs
    as Client VLAN Assignment ??

    Should I use Dynamic? and what Attribute ?

    Thank you




  • 2.  RE: central dynamic vlan assignment based on client role

    Posted Jan 19, 2023 05:33 PM
    is the WLAN for dot1x auth or PSK?
    if its for dot1x auth, then you need a RADIUS server and that radius server can send Aruba VSA called aruba-user-role which should match the user-role that you can configure for the APs. Then that user-role can have VLAN assignment, ACLs, bandwidth contracts, etc.

    this is for your reference
    https://www.arubanetworks.com/techdocs/central/latest/content/aos10x/cfg/cfg-vlan-bridge.htm

    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------



  • 3.  RE: central dynamic vlan assignment based on client role

    Posted Jan 23, 2023 05:02 AM
    Hi,

    I use Microsoft Azure (on Cloud) as Radius Server, the authentication is working properly.

    Now I am working on vlan assignment


  • 4.  RE: central dynamic vlan assignment based on client role

    Posted Jan 23, 2023 05:11 PM
    if you got your RADIUS working then, you can send Aruba VSA attribute "Aruba-User-Role" which would match the user-role that you have configured for the IAPs and that user-role has a VLAN assignment.

    also note that you can use "Aruba-User-Vlan" attribute as well.

    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------



  • 5.  RE: central dynamic vlan assignment based on client role

    Posted Jan 25, 2023 04:15 AM

    Hi Ariyap,

    thank you for your answer.

    Please could you clarify me on what you use in wlan > VLANs, as Client VLAN Assignment ??

    Do you use Dynamic ?


    Thank you




  • 6.  RE: central dynamic vlan assignment based on client role

    Posted Jan 25, 2023 05:10 AM
    You can setup rules independent of authentication servers. For example you can use this in a PSK SSID to separate one MAC address or MAC vendor OUI into a different VLAN, without any RADIUS server.


    ------------------------------
    Thanks,
    Bjarne
    ------------------------------



  • 7.  RE: central dynamic vlan assignment based on client role

    Posted Jan 25, 2023 05:07 AM
    > also note that you can use "Aruba-User-Vlan" attribute as well.

    We wanted to do that with AOS10 tunneled WLAN, but the gateway logs the following when the Aruba-User-Vlan VSA is included in the Access-Accept:
    Jan 24 11:35:18 2023 :121003:  <3966> <ERRS> |radproxy| |aaa| Discarding unknown response from server

    without it the connection works.

    We are now testing the Aruba-User-Role VSA for tunneled AOS10.

    Do you know if there is a list of supported VSA for tunneled AOS10? I couldn't find one in the documentation.



    ------------------------------
    Thanks,
    Bjarne
    ------------------------------