Wireless Access

 View Only
last person joined: 2 days ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

RADIUS server in different VLAN

This thread has been viewed 5 times

  • 1.  RADIUS server in different VLAN

    Posted 5 hours ago

    Hello,

    In my system I have a few AP-505, being one of them the virtual controller. The APs are on the 192.168.20.x network which has the VLAN 1. I have several network SSIDs. One of the network SSID is on VLAN 50 and the clients on this network get an IP from the range 192.168.50.x and are currently authenticating with PSK.

    I want to change the authentication to RADIUS and the authentication server is a Windows NPS with IP 192.168.50.11 running on VLAN 50.

    On the NPS side, I have created RADIUS client identified by an IP address (192.168.50.250 on VLAN 50) and a password, and I have created the proper policies.

    On the Virtual Controller, I can't figure out how to setup the RADIUS inside the network settings in order to communicate with a server on a VLAN different from the virtual controller's VLAN. I can't figure out on the Aruba virtual controller where do I setup the IP address (192.168.50.250) that should communicate with the RADIUS server.

    Thank you,



  • 2.  RE: RADIUS server in different VLAN

    Posted 5 hours ago

    RADIUS traffic goes between a network device (Instant AP in your case) and a RADIUS server (NPS in VLAN50).

    If your APs are in the (untagged/native) VLAN 1 (192.168.20.0/24), and need to authenticate clients, no matter on which SSID/port, the RADIUS request goes from the management IP of the AP (dhcp assigned) to the RADIUS server. You would need to enter the whole subnet 192.168.20.0/24 as RADIUS client in your NPS/RADIUS-server. If you have enabled dynamic-radius-proxy on your VC, all RADIUS requests are tunneled through the VC and the VC IP address needs to be added as RADIUS client in your NPS.

    Note that it's not recommended to mix wireless clients (vlan50) and wired clients/servers (NPS in vlan50) in the same VLAN; but at small scale that may work.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 3.  RE: RADIUS server in different VLAN

    Posted 2 hours ago

    Hi Herman,

    The VC must be able to communicate with the RADIUS server, not trough the VLAN 1, but trough the VLAN 50 and with an IP of the range 192.168.50.x. How do I setup a dynamic-radius-proxy for VLAN 50  and give it an IP different from the VC management IP? There seems to be settings related with the DRP on the System settings but also on the RADIUS configuration inside the SSID configuration.


    Original Message