Controllerless Networks

hi folks,

I get in troubles with my new IAP215 in our new branch office. There is defined an essid "staff" with WPA2-Enterprise security, but RADIUS server is located in our HQ office. Branch is connected with HQ via IPsec tunnel, so IAP215 can reach RADIUS server correctly. There is also essid "staff" in HQ and users are bridged to the VLAN (16,17,18) by the Dynamic VLAN Assignment Rules  according to the value of Aruba-User-Vlan AVP in RADIUS server reply.

Situation in branch office is much more simpler. There are no VLANs, just cable modem, MikroTik router, unmanageable switch and IAP215. The essid "staff" is defined in the same way, but VLAN assignment is set to "Default".

Problem is that user in branch office is not bridged to the LAN and not receive and IP address from MikroTik router. My idea is that IAP is trying to use the value of Aruba-User-Vlan AVP but there are no VLANs to assign to.

Does anybody know how to configure essid to ignore Aruba-User-Vlan value received from RADIUS server ? The essid "test" with WPA2-PSK security works OK.

Thanks.

You should send an access-accept to the the remote Instant clusters instead of using the Aruba VSAs. This will likely require a separate service rule / connection requrest policy for your remote offices. 

So you thing that I should user another type of AVP in RADIUS server responces or filter out this AVP when replied to remote cluster ?

My suggestion would be to create a separate ruleset for branch offices that simply replies back with an access-accept which will put the user in the default VLAN as configured on the Instant cluster.

You can usually use Connection Source IP or NAS-IP as the filter for the connection request(s).

:) OK, let's see how to do that in the Freeradius.