Which of the derived vlans take priority, if UDR, MAC auth and Dot1x is configured in a AAA profile?

Aruba Employee
Aruba Employee

This articles applies to Aruba Mobility Controllers running Aruba OS version or higher.


A client is assigned to a VLAN by one of several methods. There is an order of precedence by which VLANs are assigned. The assignment of VLANs are (from lowest to highest precedence).  Controller stores all the vlans derived during association of a client and then the one that is derived using the highest precedence derivation, is considered as client vlan.

Below figure shows the overview of priority for the vlan assignment:





Note: VLAN from DHCP options has highest priority for VLAN derivation. But DHCP options are not considered for derivation if ARUBA_NO_DHCP_FINGERPRINT (14)  Aruba VSA (Vendor Specific Attribute) was sent for the user by authentication server.

"show aaa debug vlan user <mac-address/IP>" command displays the controller point of view, of vlans dervied for a client connecting to an SSID.

Below figure shows the output of this command:


rtaImage 1.jpeg


Points to note:

  • VLAN derivation is not supported for L3-authentication
  • VLAN derivation is not supported for Split-Tunnel and Bridge forward mode of Remote-AP (RAP)


Version history
Revision #:
1 of 1
Last update:
‎07-01-2014 04:23 AM
Updated by:
Labels (1)
Search Airheads
Showing results for 
Search instead for 
Did you mean: