Occasional Contributor I

NPS Vlan Attribute

Hi there,


I have configured our Microsoft NPS server to send a return attribute to our Aruba controller in the form of a vlan id. The attribute I am sending with the vlan number is the Tunnel-Pvt-Group-ID.


However, Aruba seems to not acknowledge the vlan and does not drop users into the correct vlan.


Can anyone advise what I would need to configure on the Aruba controller to allow this to happen?


I'm basically trying to get Aruba to assign vlans based on the return attribute (vlan-id)...the NPS server is determining what user belongs to what AD security group and then sends the appropriate return attribute.




Guru Elite

Re: NPS Vlan Attribute

To see what radius attributes are coming back:


config t
logging level debugging security process authmgr
logging level debugging security subcat aaa


show log security 50
Sep 11 06:52:17 :121031:  <DBUG> |authmgr| |aaa| [rc_request.c:76] Find Request: id=48, srv=, fd=78
Sep 11 06:52:17 :121031:  <DBUG> |authmgr| |aaa| [rc_request.c:82]  Current entry: srv=, fd=78
Sep 11 06:52:17 :121031:  <DBUG> |authmgr| |aaa| [rc_request.c:37] Del Request: id=48, srv=, fd=78
Sep 11 06:52:17 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:1029] Authentication Successful
Sep 11 06:52:17 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:1031] RADIUS RESPONSE ATTRIBUTES:
Sep 11 06:52:17 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:1046]  PW_RADIUS_ID: 0 
Sep 11 06:52:17 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:1046]  Rad-Length: 20 
Sep 11 06:52:17 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:1046]  PW_RADIUS_CODE: \005 
Sep 11 06:52:17 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:1046]  PW_RAD_AUTHENTICATOR: \366\262x\225\220K\202\356\025\031\003q\264(\252I 
Sep 11 06:52:17 :124003:  <INFO> |authmgr|  Authentication result=Authentication Successful(0), method=radius-accounting, server=cppm-, user=70:56:81:b2:cc:15 
Sep 11 06:52:17 :124004:  <DBUG> |authmgr|  Auth server 'cppm-' response=0


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Guru Elite

Re: NPS Vlan Attribute

Use the Aruba VSA. See here

| Tim Cappalli | Aruba Security | @timcappalli | |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor I

Re: NPS Vlan Attribute

Hi cjoseph,


Thanks very much for the quick reply. I believe the attribute is being sent to Aruba but my issue is that I don't know what to configure on the Aruba end to mean that it takes the return attribute as a vlan tag. At the moment it doesn't seem to be tagging the user traffic with a vlan tag based on the return attribute, how can I solve that?






Aruba Employee

Re: NPS Vlan Attribute

In the server group that is in use, add a server derivation rule that says "Set the VLAN to the value returned in Tunnel-Private-Group-ID". To do this, click on Configuration > Authentication > Server Group, then select the appropriate server group. Under Server Rules, click New. Select Condition = Tunnel-Private-Group-ID, set the next field to value-of and change "set role" to "set vlan", then click add. Make sure you save the config to startup (the Save Configuration button on top). The VLAN should now change when a user is authenticated via NPS and the VLAN value is passed back as Tunnel-Private-Group-ID.

Re: NPS Vlan Attribute

The set vlan option is good but you can also assign a VLAN in the role.  I like this better...just more "clean" to me.  

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
If you found my post helpful, please give kudos
Search Airheads
Showing results for 
Search instead for 
Did you mean: