Controllerless Networks

Upcoming community maintenance Oct. 27th through Oct. 29th
For more info click here
Reply
Highlighted
Frequent Contributor II

Instant (IAP) downloadable user role (DUR) with vlan argument not downloaded

Hello!

 

I tried to apply the user vlan in combination with the user role as DUR from Clearpass to IAP.

 

For this I used the type Radius:Aruba with Aruba-CPPM-Role and the value:
wlan access-rule vl20_allow-all

vlan 20
rule any any match any any any permit

 

This can be configured on instant cli and GUI.
But if I deploy this as DUR, the VC won't download the role.

 

I successfully pushed the role without the vlan.
To apply the vlan, I used a second enforcement profile with the Aruba-User-Vlan Attribute.

 

I found a similar described behavior at AOS here.

 

Is this expected on AOS and IAP?
Should it be as designed that vlans can not pushed with the DUR?

 

Thank you!

 

Best regards/Mit freundlichen Grüßen
Matthias

Accepted Solutions
Highlighted
MVP Guru

Re: Instant (IAP) downloadable user role (DUR) with vlan argument not downloaded

For:

  • IAP/controller DUR: Send separate User-role contents and the VLAN in a separate attribute (Filter-ID/Aruba-User-VLAN/Aruba-User-VLAN-Name). BTW, Role-based VLANs are deprecated/non-supported on controllers/IAP, which may be why.
  • ArubaOS Switch DUR: Send VLAN as part of the User-Role. If you send multiple RADIUS Attributes, everything will be rejected by the switch.
--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).

View solution in original post


All Replies
Highlighted
MVP Guru

Re: Instant (IAP) downloadable user role (DUR) with vlan argument not downloaded

For:

  • IAP/controller DUR: Send separate User-role contents and the VLAN in a separate attribute (Filter-ID/Aruba-User-VLAN/Aruba-User-VLAN-Name). BTW, Role-based VLANs are deprecated/non-supported on controllers/IAP, which may be why.
  • ArubaOS Switch DUR: Send VLAN as part of the User-Role. If you send multiple RADIUS Attributes, everything will be rejected by the switch.
--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).

View solution in original post

Highlighted
Frequent Contributor II

Re: Instant (IAP) downloadable user role (DUR) with vlan argument not downloaded

Hello Herman!

 

Thank you, sounds plausible.

 

Best regards/Mit freundlichen Grüßen
Matthias
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: