Cloud Managed Networks

Reply
Highlighted
Occasional Contributor I

How to define user BW using RADIUS Attributes (not Roles)

Hi,

 

We have developed a Solution in CLOUD for professional WiFi scenarios (External Captive portal, External RADIUS, etc...) and we are starting to integrate our solution with ARUBA equipment.  

 

I am checking all the RADIUS attributes that the ARUBA APs support ( #show radius-attributes on CLI) and I don´t find any of them related to the Bandwith Speed or with the volume.

 

For integrations with similar systems such as Purple, the suggested way of proceeding is creating user Profiles in ARUBA CENTRAL and sending the Role via RADIUS, but this is not the most convenient way of proceeding for us as we don´t want to define the profiles in ARUBA CENTRAL; just in our platform, and send them to the users via RADIUS.

 

The volume could also be controlled with RADIUS CoA, but would be nice if it could be passed to the user too (the accounting packet interval we use is 300s)

 

With other vendors we use parameters such as WISPR-Bandwidth-Max-Down, WISPR-Bandwidth-Max-Up, Maximum-Data-Rate-Downstream,…. Mikrotik-Rate-Limit, Mikrotik,-Recv-Limit, etc...  There is no equivalent parameters for ARUBA?

 

I attach the supported attributes in our Laboratory IAP-205H

AP_MADRID# show radius-attributes 
 
Radius Attributes
-----------------------
AP-Group
AP-Name
ARAP-Features
ARAP-Security
ARAP-Security-Data
ARAP-Zone-Access
Acct-Authentic
Acct-Delay-Time
Acct-Input-Gigawords
Acct-Input-Octets
Acct-Input-Packets
Acct-Interim-Interval
Acct-Link-Count
Acct-Multi-Session-Id
Acct-Output-Gigawords
Acct-Output-Octets
Acct-Output-Packets
Acct-Session-Id
Acct-Session-Time
Acct-Status-Type
Acct-Terminate-Cause
Acct-Tunnel-Packets-Lost
Add-Port-To-IP-Address
Aruba-AP-Group
Aruba-AP-IP-Address
Aruba-AS-Credential-Hash
Aruba-AS-User-Name
Aruba-Admin-Path
Aruba-Admin-Role
Aruba-AirGroup-Device-Type
Aruba-AirGroup-Shared-Group
Aruba-AirGroup-Shared-Role
Aruba-AirGroup-Shared-User
Aruba-AirGroup-User-Name
Aruba-AirGroup-Version
Aruba-Auth-SurvMethod
Aruba-Auth-Survivability
Aruba-CPPM-Role
Aruba-Calea-Server-Ip
Aruba-Device-Type
Aruba-Essid-Name
Aruba-Framed-IPv6-Address
Aruba-Location-Id
Aruba-Mdps-Device-Iccid
Aruba-Mdps-Device-Imei
Aruba-Mdps-Device-Name
Aruba-Mdps-Device-Product
Aruba-Mdps-Device-Profile
Aruba-Mdps-Device-Serial
Aruba-Mdps-Device-Udid
Aruba-Mdps-Device-Version
Aruba-Mdps-Max-Devices
Aruba-Mdps-Provisioning-Settings
Aruba-Named-User-Vlan
Aruba-Network-SSO-Token
Aruba-No-DHCP-Fingerprint
Aruba-Port-Bounce-Host
Aruba-Port-Id
Aruba-Priv-Admin-User
Aruba-Template-User
Aruba-User-Group
Aruba-User-Role
Aruba-User-Vlan
Aruba-WorkSpace-App-Name
Authentication-Sub-Type
Authentication-Type
CHAP-Challenge
Callback-Id
Callback-Number
Chargeable-User-Identity
Cisco-AVPair
Class
Connect-Info
Connect-Rate
Crypt-Password
DB-Entry-State
Digest-Response
Domain-Name
EAP-Message
Error-Cause
Event-Timestamp
Exec-Program
Exec-Program-Wait
Expiration
Fall-Through
Filter-Id
Framed-AppleTalk-Link
Framed-AppleTalk-Network
Framed-AppleTalk-Zone
Framed-Compression
Framed-IP-Address
Framed-IP-Netmask
Framed-IPX-Network
Framed-IPv6-Pool
Framed-IPv6-Prefix
Framed-IPv6-Route
Framed-IPv6-address
Framed-Interface-Id
Framed-MTU
Framed-Protocol
Framed-Route
Framed-Routing
Full-Name
Group
Group-Name
Hint
Huntgroup-Name
Idle-Timeout
Location-Capable
Location-Data
Location-Information
Login-IP-Host
Login-IPv6-Host
Login-LAT-Node
Login-LAT-Port
Login-LAT-Service
Login-Service
Login-TCP-Port
Menu
Message-Auth
NAS-IPv6-Address
NAS-Port-Type
Operator-Name
Password
Password-Retry
Port-Limit
Prefix
Prompt
Proxy-State
Rad-Authenticator
Rad-Code
Rad-Id
Rad-Length
Reply-Message
Requested-Location-Info
Revoke-Text
Server-Group
Server-Name
Service-Type
Session-Timeout
Simultaneous-Use
State
Strip-User-Name
Suffix
Termination-Action
Termination-Menu
Tunnel-Assignment-Id
Tunnel-Client-Auth-Id
Tunnel-Client-Endpoint
Tunnel-Connection-Id
Tunnel-Medium-Type
Tunnel-Preference
Tunnel-Private-Group-Id
Tunnel-Server-Auth-Id
Tunnel-Server-Endpoint
Tunnel-Type
User-Category
User-Name
User-Vlan
Vendor-Specific
fw_mode
dhcp-option
dot1x-authentication-type
mac-address
mac-address-and-dhcp-options
pre-tagged-vlan-id
Guru Elite

Re: How to define user BW using RADIUS Attributes (not Roles)

User roles are the core access enforcement mechanism for Aruba wired and wireless. You can add these enforcements to a user role.


| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor I

Re: How to define user BW using RADIUS Attributes (not Roles)

I know.

 

My question was: can I use RADIUS parameters to control BW and volume using RADIUS parameters instead of User Roles, so if I want to change a User Plan I do not need to edit the User Role in Aruba Central, just change the value passed by the RADIUS?

Occasional Contributor I

Re: How to define user BW using RADIUS Attributes (not Roles)

Hi,

 

No suggestions about this? Any ideas?

 

Thanks in advance

Occasional Contributor I

Re: How to define user BW using RADIUS Attributes (not Roles)

Hi Aruba staff,

 

Could you please answer to this question, any ideas?

 

There is a big lack of information about RADIUS implementations, which is crucial for integration with third party companies such as External Captive Portals.

 

Any clue about this issue will be appreciated.

Guru Elite

Re: How to define user BW using RADIUS Attributes (not Roles)

To be clear, if you want to enforce the sustained bandwidth, there is no enforcement mechanism outside a role, so you would need to use a role.  If you want to enforce the total bandwidth, that is outside of the Wireless LAN controller and would have to be done with the radius server with a combination of interim radius accounting and a COA from the radius server to disconnect the user after.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Occasional Contributor I

Re: How to define user BW using RADIUS Attributes (not Roles)

Thanks cJoseph. I don´t like it, but that's exactly the answer I was looking for.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: