Hello,
We have a swarm of AP-303 with RADIUS authentication on one SSID. Authentication works as expected, but dynamic VLAN assignments sent by the RADIUS Server are ignored; all clients are being placed within the default VLAN.
example user on the FreeRADIUS Server:
testuser Cleartext-Password := "somepassword"
aruba-named-user-vlan = 2,
aruba-user-vlan = 2,
Tunnel-Type = "VLAN",
Tunnel-Medium-Type = "IEEE-802",
Tunnel-Private-Group-ID = "2"
Assigned vlan/filter rules on the controller:
vlan 21
set-vlan Aruba-Named-User-Vlan value-of
set-vlan Tunnel-Private-Group-Id value-of
set-vlan Aruba-User-Vlan value-of
the user "testuser" can authenticate, the RADIUS-Server is sending all 3 attributes, but the controller ignores any of them and places the user in VLAN 21...
Authentication Method is PEAP/MSCHAPv2, the attributes are sent with the EAP reply of the outer tunnel (not MSCHAP reply that is sent to the endpoint). From my understanding this should be the correct behaviour?
This setup already worked - but as that SSID was mainly unused until recently I can't tell when it broke (e.g. update of the controller and/or RADIUS). Were there any changes to the VLAN assignment logic?
I can provide relevant debug logs and/or controller configuration if needed, I just didn't want to completely spam the initial post with hundrets of lines of debugging/config. I still have the feeling I just missed some small config detail...
Thanks,
Sebastian