How do i go about in doing Vlan derivation against Microsoft RADIUS without configuring Server derivative rule on the controller?
When the client completes authentication we can have user assigned to the specific vlan based on the attribute derived from the RADIUS server and his would assign an appropriate vlan to the user returned from the RADIUS server instead of the vlan specified on the VIirtual AP profile.
Yes; no server derivation rule needs to configured on the controller and we can achieve this using two methods
- Configure VSA to derive vlan from external RADIUS server
- Configure MSFT attribute to derive vlan from external RADIUS server.
FOR VSA :
(Aruba2400) #show aaa radius-attributes | include 14823
Aruba-Location-Id 6 String Aruba 14823
Aruba-Template-User 8 String Aruba 14823
Aruba-User-Role 1 String Aruba 14823
Aruba-Port-Id 7 String Aruba 14823
Aruba-Priv-Admin-User 3 Integer Aruba 14823
Aruba-User-Vlan 2 Integer Aruba 14823
Aruba-Essid-Name 5 String Aruba 14823
Aruba-Named-User-Vlan 9 String Aruba 14823
Aruba-Admin-Role 4 String Aruba 14823
FOR MSFT :
· IETF 64 (Tunnel Type)—Set this to “VLAN” string
· IETF 65 (Tunnel Medium Type)—Set this to 802
· IETF 81 (Tunnel Private Group ID)—Set this to VLAN ID (ex 40)