Wireless Access

I am trying to set up zero touch provisioning for RAPs using FreeRADIUS.  I know it is possible using CPPM, but am trying to understand the bits required to get it working with a generic RADIUS product instead. I found this link, but it only discusses CPPM.

We plan on updating Activate by assigning the RAP a folder with a provisioning rule setting the controller's IP address.  Additionally, we will need to add an entry to our RADIUS server's database giving the RAP's MAC address, a hostname and AP group.  (This would normally be done by setting up the context server config on CPPM to update its endpoint db via activate).

We have a basic RADIUS authentication working with FreeRADIUS, but it does not send back the AP's name or group, only an ACCEPT allowing the RAP to authenticate to the controller.  Our staff must manually provision those details on the controller during initial deployment.

The part I need confirmation on is what the RADIUS server needs for the device and what/how to send it back to the controller.  I believe that the RADIUS server will just need the VSAs "Aruba-Location-Id" (AP Name) and "Aruba-AP-Group" (AP Group), and it would include those in the ACCEPT response back to the controller.

Has anyone had experience with this, or has any knowledge on what CPPM sends back to the controller to successfully authenticate the RAP?

I just checked on a ClearPass, and these are the attributes returned on a RAP whitelist RADIUS request:

Do you have an Aruba VSA dictionary? If not, these are the two used VSAs:

Aruba VSA vendor: 14823

Attribute Aruba-AP-Group Attribute-id: 10 Type: String

Attribute Aruba-Location-Id Attribute-id: 6 Type: String

Does this help you to get started?

Great, that's what I was hoping for, Thanks.  I will give it a go.