Aruba Central

 View Only
last person joined: yesterday 

Expand all | Collapse all

Dynamic VLAN assignment

This thread has been viewed 59 times
  • 1.  Dynamic VLAN assignment

    Posted Aug 02, 2022 05:14 PM
    We've come from Extreme to Aruba and recently purchased several AP505s. We would like to set up a dynamic vlan assignment based on a MPSK Local passphrase. I believe I've got most of the settings correct, but when I try to connect, obtaining an IP address from our external DHCP server fails.

    I'm wondering if under "VLAN Assignment Rules" I have the wrong "attribute" chosen to determine which MPSK Local passphrase is being used and therefore assign the proper VLAN to the client? Wouldn't the attribute be "Aruba-MPSK-Passphrase"?

    At any rate, when I connect to a test SSID that I setup which is unsecured, it gets a DHCP address from our external server without issue. So I suspect I've set something wrong in our Dynamic VLAN assignment.

  • 2.  RE: Dynamic VLAN assignment

    Posted Aug 03, 2022 06:29 AM
    You just select a role to the MPSK local passphrase. In the role you create a VLAN access rule with the VLAN id needed for that role.
    First create the Roles under the security tab.

  • 3.  RE: Dynamic VLAN assignment

    Posted Oct 01, 2023 07:51 PM

    This is what I'm looking for, but what does one choose in the previous step?

    Or do I choose static unamed vlans (since one cannot choose multiple name vlans?) and add all the possible vlans for the MPSK stage?

  • 4.  RE: Dynamic VLAN assignment

    Posted Oct 05, 2023 09:23 AM

    Ah, you don't assign possible VLANs there. When a user role, or RADIUS response overrides the default VLAN for an SSID, that VLAN will be applied.

    So set it in that VLAN screen to any (static) VLAN you want, or maybe a VLAN not in use if you want to enforce that an actual VLAN is derrived during the authentication.

    In Instant/AOS10 this works a bit different that what you may have learned with other products as when a clients gets assigned with a VLAN (role/assignment rule/VSA) the AP will just tag all client traffic on the wired uplink port. Of course, your switch port that connects to the AP will need to have all possible VLANs assigned, but on the AP side it's not needed to pre-define the VLANs.

    Herman Robers
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.