Wireless Access

Hi all

I setup my frist ArubaOS 8.x MC. Our customer has multiple location which are all connected together (VPN or Layer2 ISP Connections).

Each location has a own Subnetz with own VLAN-ID. There is one Controller on HQ which manage all locations (often is only one 3-4 APs per location).

The employee's need to connect on all locations with the same Wifi credentials. 

How can I switch the VLAN based on the location which the user are connecting?

Thanks in advanced.

Hi,

I assume you will do bridging of client traffic - right?

what do you mean by "The employee's need to connect on all locations with the same Wifi credentials."? 

Are they using EAP-PEAP Authentication? 
Than you are able to use Radius data to push them into the needed VLAN.

Go to Authentication - Server Group - Server Rules and set a new rule based on Aruba-AP-IP-Address as an example. As Action you will det the VLAN

Thank you very much.

That was the solution. In didn't search in the "Auth Server" Tab. ;)

I have the same scenario with way more than 3-4 APs at each location.  I'm hoping to use your solution, but use some sort of "begins with" as it would be too inneficient to put in every single AP address.  Further thoughts?

Similar challenge here. In AOS 6.x we have VLAN pools for different locations for the same SSID. Using the server rule approach with, for example, Aruba-AP-Group starts with "XX-", I can map to only a single VLAN, not a VLAN pool. Converting these pools to a single VLAN is going to be a lot of work, as we have many client devices with fixed IP addresses that would have to be changed. Looking for a better solution.

If you're doing EAP-PEAP to ClearPass, you could return the VLAN ID or Name I believe and let CPPM do the logic for you as to what to return. It can use BEGINS_WITH  for AP IP or AP Name or even AP Group probably. 

I'm not sure about AOS 8, but I know in AOS 6 regardless of the VLAN set in the VAP, if one is returned by CPPM, that one is used instead - even without the server rules configured. We have this configured at a site right now and it's been working for years.

---

@mharing wrote:

I'm not sure about AOS 8, but I know in AOS 6 regardless of the VLAN set in the VAP, if one is returned by CPPM, that one is used instead - even without the server rules configured. We have this configured at a site right now and it's been working for years.

---

When the Aruba VSAs are used, that is correct. It using other attributes such as filter-id to signal VLAN, then server rules would be needed.

What if client is not doing radius or cppm?  THey need a wpa2 key ssid that will change vlans depending on location (AP group).

Is there a way to do this in 8.4 ???

I figured out how to do this (single preshare key ssid with multiple vlans)

You have to manualy config a new wlan virtual-ap and then just reference the aaa and ssid profiles and change the vlan id

First I created the ssid via web-gui and put it in default ap group. That gave me the following on ssid named test.

wlan virtual-ap "test"
aaa-profile "test_aaa_prof"
vlan 1
ssid-profile "test_ssid_prof"

I then created new wlan referencing the aaa and ssid profiles and changed the vlan to 59 via cli

wlan virtual-ap "HS-test"
aaa-profile "test_aaa_prof"
vlan 59
ssid-profile "test_ssid_prof"

Then I went back into web-gui and assigned this new HS-test wlan to my HS ap group.  Rinse and repeat for other elementaries etc etc etc.

enjoy !!!

---

john@mosstele.com wrote:

I figured out how to do this (single preshare key ssid with multiple vlans)

 

You have to manualy config a new wlan virtual-ap and then just reference the aaa and ssid profiles and change the vlan id

 

First I created the ssid via web-gui and put it in default ap group. That gave me the following on ssid named test.

 

wlan virtual-ap "test"
aaa-profile "test_aaa_prof"
vlan 1
ssid-profile "test_ssid_prof"

 

I then created new wlan referencing the aaa and ssid profiles and changed the vlan to 59 via cli

 

wlan virtual-ap "HS-test"
aaa-profile "test_aaa_prof"
vlan 59
ssid-profile "test_ssid_prof"

 

 

Then I went back into web-gui and assigned this new HS-test wlan to my HS ap group.  Rinse and repeat for other elementaries etc etc etc.

 

enjoy !!!

 

 

---

Just in case someone runs across this in the future, in the Web GUI, there is an option that needs to be turned on called "Show advanced profiles".

You get there by clicking on the logged in user (admin, for example), clicking Preferences, and finally checking "Show advanced profiles".

Once there, go back to your AP groups, select an AP Group, then on the right side under the highlighted box (which includes APs, WLANS, Multizone, etc.), there's a new "Profiles" link on the right. You can then manage your AP stuff like the old AOS 6.x.