Wireless Access

Hello,  I'm in the process of phasing in Aruba wireless where we used to use Cisco.  

 

Previously and in my tests, we've had one AP group per school building and then a dedicated wireless vlan within that building.  

 

We've purchased CPPM, and I'm working my way to having only two SSID's -- one secure and one for guest.

 

I've figured out how to have  different AP groups for the buildings, and how to pass back a vlan attribute using Enforcement profiles from CPPM, but the thing I'm confused about is how I can pass back a different vlan depending on what ap group the user is originating from.

 

If a user is associated to an AP in the HS ap group I'd like to pass back  vlan 10.

If the same user later associates to an AP in the MS ap group I'd like to instead pass back vlan 20.

 

Is this possible, or should I be doing something different?

You should be able to accomplish this using either a role mapping or within the enforcement policy using the Radius: Aruba > Aruba-AP-Group attribute as a condition to assign the VLAN

The radius return from CPPM seems to be working but I can't pass any traffic.  Do I assign multiple VLAN's to the SSID controller side so that it can be re-used for each ap group?  Where does the controller see this radius return and use it?

Did you define / configured that VLAN in the controller ?

If the VLAN(s) is hosted on your CORE/Distribution switch make sure that you are trunking that VLAN

Get Outlook for iOS

-In regards to how to pass back a different vlan depending on what ap group the user is originating from.

 You will have to configure a Role and role mapping and enforcement profile and policy (See attachment for pictures)

 

1. Create the roles

Roles: created AP-Group10 Users and AP-Group20 Users (they are only labels you identified)

2. Role Mappings: Created a Mapping with 2 conditions that states anyone connected to AP-Group10/20 is assigned to the: Role AP-Group10 Users and 20

3. Create the Profiles (action that assigns the VLAN)

TEMPLATE: Aruba RADIUS Enforcement

- I create the first one the copy it and change the name and vlan

4. Create Enforcement Policy

-Rules that states for the Role AP-Group* Users do Action AP-Group* to VLAN *

 

I used the following reference and built on it. Good Luck

https://community.arubanetworks.com/t5/Security/VLAN-assignment-with-clearpass/td-p/223834

 

I'm assuming your wanting to connect the AP's in tunnel mode correct not trying to convert your wireless from an older system which used local vlans from the switch where the access point is plugged into. Is this the reason why you are trying to direct users to a vlan by location?  I could see your thinking this where a user connected to an AP gets bridged to the local swtich the AP is connected to. Aruba can do that called bridge mode but you lose lot of functionality I don't think you can do roll changes if that's what your trying to do bridge mode.  We run 2 vlans per controller 1 for secure network /18 1 for guest traffic /18 it's the same 2 vlan numbers for each controller we terminate that vlan on the layer 3 router connected to each controller. That way if we lose a controller the AP backup LMS directs the AP to connect to different controller because the same VLAN number is configured the users will have to get new IP address subnet but they reconnect.