03-04-2019 01:14 PM
Currently we are using Aruba 2530 48 POE+ switches as our access switches and a pair of Aruba 2920 switches as our Core. We have Aruba IAP-315s for WiFi access.
For WiFi, our Staff SSID authenticates machines using certificates with a Windows 2012R2 NPS server. We have the 2530 switches authenticating workstations on the 'data' ports with the same certificates/RADIUS server. Phones, printers, one-off machines etc are on separate VLANs and ach port is manually configured for either aaa port-access or just untagged traffic on the non-staff vlans.
I'm not sure if this is possible on the 2530 series switches, but can we leverage our RADIUS/NPS server to automatically assign VLANs to the switch ports?
For example, instead of having to manually configure each port for either aaa authentication, or a phone vlan, or printer vlan etc., can this be automated? The voice vlan feature does not work with our VOIP phones due to a vendor policy. They all have the same OUI so I was thinking I could dump any device with that OUI into it's own VLAN, which is segmented from the rest of the network.
I'm looking for more detail on how to better automate or use the technology we already have to enable this. I've read topics such as this one but I am stuck on the configuration on the switches themselves. How do I tell the 2530 switch ports to obtain their VLAN ID from the RADIUS Server? I'm aware of auth-id and unauth-id, but I would like to have options for more than 2 VLANs.
My goal is to not have to manually configure each port based on location or device type. For example, I don't want to have to define half my ports as phone ports or half as workstation ports with the occasional printer, AP, project etc. I would like to be able have the switch intelligently determine which VLAN to assign based on the device that is requesting access.
Is this possible with the limited resources I have? I don't have access to ClearPass. I can spin up as many NPS servers as I need, if that helps.
Solved! Go to Solution.
03-05-2019 01:36 AM
It is possible with Aruba 2530 to assign a dynamic Vlan.
You need to send RADIUS attribut (Egress-Vlan)
PowerArubaSW: Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP... More info
PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...) More info
PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)
PowerArubaIAP: Powershell Module to use Aruba Instant AP
ACMP 6.4 / ACMX #107 / ACCP 6.5
Re: Using RADIUS to assign VLANs on Aruba 2530 switches
03-06-2019 07:10 AM
Thank you! That definitely got me in the right direction.
I'll be exploring some of 16.08's options on auth-order and mixing auth/unauth access. This is great, thank you!