How do i go about in doing Vlan derivation against Microsoft RADIUS without configuring Server derivative rule on the controller?

Aruba Employee
Aruba Employee

When the client completes authentication we can have user assigned to the specific vlan based on the attribute derived from the RADIUS server and his would assign an appropriate vlan to the user returned from the RADIUS server instead of the vlan specified on the VIirtual AP profile.
Yes;  no server derivation rule needs to configured on the controller and we can achieve this using two methods

  1. Configure VSA to derive vlan from external RADIUS server
  2. Configure MSFT attribute to derive vlan from external RADIUS server.

(Aruba2400) #show aaa radius-attributes | include 14823
Aruba-Location-Id               6      String   Aruba      14823
Aruba-Template-User             8      String   Aruba      14823
Aruba-User-Role                 1      String   Aruba      14823
Aruba-Port-Id                   7      String   Aruba      14823
Aruba-Priv-Admin-User           3      Integer  Aruba      14823
Aruba-User-Vlan                 2      Integer  Aruba      14823
Aruba-Essid-Name                5      String   Aruba      14823
Aruba-Named-User-Vlan           9      String   Aruba      14823
Aruba-Admin-Role                4      String   Aruba      14823




·         IETF 64 (Tunnel Type)—Set this to “VLAN” string
·         IETF 65 (Tunnel Medium Type)—Set this to 802
·         IETF 81 (Tunnel Private Group ID)—Set this to VLAN ID (ex 40)


rtaImage (1).jpg


Version history
Revision #:
1 of 1
Last update:
‎07-11-2014 09:02 AM
Updated by:
Labels (1)

If I configure VSA to derive vlan from external RADIUS server, do I need to create a server rule with the same atributes at the server group profile?

If you are using VSA to configure the VLAN or role, we donot need a server derivation rule on the server group. The controller will move the user to respective role or vlan based on the return attribute on VSA. 

Thank you very much.