Wireless Access

Hi,

I would like to configure and understand  how to dynamically assign vlan on one ssid by radius attribute? With other vendor this is more easy.

My environment is formed by 7240 controller and access point 135.

 

Who can help me ? i don' t find a document that describe this solution.

What radius server are you using?

MICROSOFT IAS

If you are making policy decisions based on different AD groups then you can use that in combination with a filter ID to assign a VLAN under the Controller Server Group

Another way you can do this that you assign different role using that same logic I mentioned and then assign the VLAN to the role

 

 

 

see also Aruba-User-Vlan VSA as mentioned here by clembo

 

http://community.arubanetworks.com/t5/Unified-Wired-Wireless-Access/Assigning-users-different-vlan-subnet-based-on-AD-group/m-p/61082/highlight/true#M2011

 

Hi Friend,

 

Adding to the reply by Victor here are steps to configure the RAS policy for dynamic VLAN assignment.

 

 

Select  New policy and give a name ( DemoPolicy)

 

 

Select Wireless :

 

Select the user group to map this policy (Manager is a group)

 

 

Select  Grant RAS and click on Edit profile

Select Advanced Tab and select Add

 

 

Select Attribute name as either Filterid or "Vendor specific". to make your life simple select "Vendor Specific" and click on Add.

Select option, "Enter Vendor-code" the value for Aruba is 14823

 

Select option "It Confirms" and select "Configure Attributes"

 

 

Select the appropriate value and type as shown bellow. 

 

Here for returning VLAN id we should select attribute number as 2 and format  as Integer (Decimal) and finally enter the vlan id as the Attribute value.

 

 

The server side configuration is done.

 Now we should configure the server group to assign the return attribute ,

 

 

Another way is, map a VLAN to the user role and configure the IAS to return the role name 

 

How to map a VLAN to a Role:

 

 

Hope got more clarity,

 

Please feel free for any further help on this,

 

Have fun with Aruba :)

 

Thanks

 

i explain better :

 

In my environment i have different type of client, with different privilege on network, this type of client reside on  many different campus (different ap group), i have many vlan pool for each campus. The radius should return the value of vlan pool not the vlan. With the configuration shown i understand that is not very flexible...

For example on cisco wlc i only enable a flag to allow aaa override.

The raiuds server sent back to controller the vlan pool, and is not flexible configure a static vlan.

Hi Friend,

 

Aruba supports this feature,

 

You can return the VLAN name through RADIUS attribute and you can have a VLAN pool with that name in the controller.

 

for your ref :

 

I just configured an attribute to return value test.

 

I have configured the server group to assign a VLAN pool ( test ).

 

A VLAN pool with VLANs 11 and 20 :

An user got VLAN assignment through RADIUS .

 

 

Hope it is prooved :)

 

Please feel free for any further help on this.

Ok, i must create a rule for each vlan pool ?? is not flexible..

Hi friend ,

 

 

Yes, we have to create policy for each user group.

 

Can you share your requirement so that I can give a best solution  . I believe Aruba as flexible as other vendors in the market.

 

 

Spillo4000,

 

Let's understand what you are trying to do:

 

1. - You have users that are authenticating via 802.1x

2. - You want them placed in a different VLAN or VLAN pool depending on what controller they are connected to?

 

If you only want to do those two things above, you would only need to:

- Create a VLAN Name or pool on the master controller (http://www.arubanetworks.com/techdocs/ArubaOS_64_Web_Help/Web_Help_Index.htm#ArubaFrameStyles/Network_Parameters/Configuring_VLANs.htm)

- Assign that VLAN name to your Virtual AP instead of a VLAN number

- Define the value of that VLAN name/pool on each controller; the VLAN name assigned to each Virtual AP is global, but the VLAN numbers assigned to each name is local for each controller

 

You would be able to do it above without returning a radius attribute.

 

If the above is not what you want, please tell us in detail how it is accomplished with the combination of Cisco and IAS and we can give you the Aruba equivalent.

 

 

 

each rule for each vlan pool, is tedious..

Spillo4000,

 

If you have more than one pool, how do you indicate what user gets into what pool if you don't have rules?  What decides who gets what pool?  A rule has to be involved...

 

 

 

The user group mapped to a vlan pool name is configured on radius, i repeat for example on cisco wlc the vlan pool name must match from radius to controller, on controller i put only a flag to trust the vlan pool name send from radius. On aruba as well as configure radius i must create one server rule for every vlan pool, i understand correctly ? for this on my opinion it seems to be tedius.

 

 

on  my server group i must create many server rule, one for each vlan pool.

---

@Spillo4000 wrote:

on  my server group i must create many server rule, one for each vlan pool.

---

You do not have to create any server rules on the server.  You just have to return the "Aruba-Named-User-Vlan"  VSA with the name of the pool from the radius server.  The client will automatically be placed into the named VLAN/Pool.  Aruba Radius VSAs override any rules in a server group and they make server group rules unnecessary.  As long on the radius server side you are sending back the "Aruba-Named-User-Vlan" attribute with the name of the pool, the client will be placed into that pool without creating rules on the Aruba controller side:

 

http://www.arubanetworks.com/techdocs/ArubaOS_64_Web_Help/Web_Help_Index.htm#ArubaFrameStyles/AAA_Servers/Configuring_Servers.htm

 

 

 

Aruba-Named-User-Vlan             9      String       Aruba      14823

 

OK

thank you and accept the solution.