HP850 WLAN, use AP-group info?

So I'm setting up Clearpass for a company that just will be running their HP WLAN and Aruba WLAN side by side.


Now I need to change the current user-only authentications into machine + user. Sofar no problem.

But I also need to return different vlans depending on which AP-group the AP is in. For the Aruba WLAN I can just use the Aruba-AP-Group or even the Called-Station-Id.

With the HP controller, I cannot seem to find anything that references this.


So anybody has any idea on how to differentiate from which ap-group the authentiction originated? Or other ideas to get this resolved without having to manage a mac-list of all the APs?

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Guru Elite

Re: HP850 WLAN, use AP-group info?

Can you post a screen grab of the RADIUS request with all the VSAs?

| Tim Cappalli | Aruba Security | @timcappalli | |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.

Re: HP850 WLAN, use AP-group info?

Managed to figure out a way to do it. Not the prettiest solution but at least it works.


If I configure the service-template (~SSID profile) with a vlan:

wlan ap-group algdi
 if-match ip
 ap ap-3.1
 ap ap-3.3
 ap ap-4.4
 dot11a service-template 1 vlan-id 123
 dot11a service-template 2 vlan-id 123
 dot11bg service-template 1 vlan-id 123
 dot11bg service-template 2 vlan-id 123



then this vlan id is then sent along with the radius request as part of the NAS-port-id:


Input RADIUS Attributes -
Radius:IETF:Acct-Session-Id = 11607121154130ed09a5627f
Radius:IETF:Called-Station-Id = 2C-41-38-DB-AA-8E:clearpasshp
Radius:IETF:Calling-Station-Id = 28-B2-BD-42-D8-1C
Radius:IETF:Chargeable-User-Identity = 
Radius:IETF:Framed-MTU = 768
Radius:IETF:Framed-Protocol = 1
Radius:IETF:NAS-Identifier = AC1
Radius:IETF:NAS-IP-Address =
Radius:IETF:NAS-Port = 16811984
Radius:IETF:NAS-Port-Id = slot=1;subslot=0;port=8;vlanid=123
Radius:IETF:NAS-Port-Type = 19
Radius:IETF:Service-Type = 2
Radius:IETF:User-Name = DOMAIN\\user

That is the only way I found to get dynamic vlans that take the ap-group into acount.



And for your reference Capali, these are all the radius VSA's that I receive in the request.



EDIT: If you solve it like this, be sure to add ALL the vlans you may be pushing to users from this ap-group. The HP WLAN controller seems to send the previously pushed vlan when a user switches networks instead of the default vlan.

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Search Airheads
Showing results for 
Search instead for 
Did you mean: