Wireless Access

Hi,

What is the best way to assign users different vlans/subnets?  We want to have different subnets for different groups of users. Users in the active directory IT group get assigned subnet A and that subnet has more permissions on our corporate firewall than a user in the standard user group. Standard users get assigned subnet B and fewer permissions to things through the corporate firewall.

Thanks

You can do this by sending back Aruba's vendor specific attributes (Aruba-User-Vlan in this case).     The process involves setting up server rules on the server group that is handling the authentication for your users and then configuring the RADIUS end to return the proper attributes and values depending on the conditions/group memberships you choose.  The process for the latter depends on the RADIUS platform.  Can you let us know what you are using for RADIUS?

There is now a list of at least 30 supported Aruba specific VSAs...thre may be more:

We are using WIn2K8 with NPS for radius. It then talks to AD for authentication/authorization.

ANyone have other ideas?

You can achieve this by using the Aruba VSAs above.   For example, on NPS create a newtork policy for the "IT" group and assign VLAN XYZ.

Policy Name - Wireless-IT-VLAN-Assignment

Type of Network Access Server - Unspecified

Conditions - add whatever you typically add; but make sure you have Windows Group matches IT

Acesss Granted

EAP Type - add whatever authentication types you use

Constraints - NONE

RADIUS Attributes

• Click Vendor Specific; click Add
• Choose Vendor Specific from the Vendor choice; click Add
• Click to add attribute information
• Select Vendor Code = 14823 and Yes it conforms, click Configure Attributes
• Choose 2 as your assigned attribute number (for Aruba-User-VLAN in the above table)
• Attribute format = integer (decimal for IAS/NPS)
• Attribute value = XYZ (VLAN number)
• Click OK to close out

On your Server Group that has the NPS servers defined, add a server derived rule that will look for this attribute from NPS and then apply the VLAN.   This will set the VLAN to whatever value is sent by NPS for Aruba-User-VLAN (or to NPS, Vendor 14823, attribvute 2).

set vlan condition "Aruba-User-Role" value-of position 1

Hi

As another way rather than assigning the vlan from the radius server you could also just get the radius server to respond with a Filter-ID which contain the name of a role that is defined on the controller. The role would then have a VLAN assigned to it as part of the role configuration.

Have you successfuly done this and if so can you provide additional information on the steps involved?

Thanks

Hi

I am assuming that it is me that you are asking the settings for.

If it is here is how I did it.

Configure the radius server group so that it expects the filter ID to be sent back from the radius server.

The filter ID response that the radius server sends must match exactly a role that you have created on the controller

The role in the controller looks like this

The super role assignes the user to VLAN 17. We have done this so that even though the SSID is configured to use a VLAN pool for the users, any user that is a member of the super users group in AD will automatically be put into VLAN 17 on the wireless and  get access to additional resources.

Works a treat.

Thanks

Hola, tengo ClearPass 6.7  y quiero configurar vlan para asignarle a mis usuarios de AD, mis usuarios se conectan a un Controlador Aruba, es la misma configuracion?, en el Clear Pass cual seria el procedimiento?

Saludos!

@istong,

revans solution does work just fine.   Using filter-id or Aruba-User-Role to assign a role that has a VLAN assigned both work.   The choice on your part is whether you want the same role for the users (but different VLANs assigned by RADIUS) or if it makes sense to create a new role to go with the VLAN differentiation.

We use 802.1x and vlan steering to do it. In NPS, Network Policies, define policy for a group and under 'Conditions', add the AD group; Under 'Settings', add "Tunnel-Medium-Type' (802); 'Tunnel-Pvt-Group-ID' (vlan ID, ie, 100); and 'Tunnel-Type' (Virtual LANs). Do this for all the groups and assign vlans.

Sounds like a good option as well.  We are trying something recommended by the TAC.  On the NPS server we add new policies for each group and then add a class attribute with a string value of the vlan x. That value (the vlan number x) is then passed to the controller based on that AD group membership.  There are then conditions added to the authentication servers that say if the class value equals that vlan number x then assign them a vlan of x.  Hoping to have that setup and tested soon.

Thanks

TAC's solution should work as well.  As you can see there are many differnt ways to accomplish what you want to achieve.  In all of them, NPS (or any RADIUS) will return some attribute and value to Aruba; the Server Group just needs to have the corresponding server rule to match that attribute and value; and then go ahead and assign the appropriate VLAN.

Hence the beauty of an Aruba Wireless Network/Controller over any other wireless vendor I have worked with. The flexibility and multiple ways to implement a solution is second to none.