Wireless Access

I'm trying to achieve dot1x authentication where radius server returns private-group-id which determines the role of the client. I wrote Server-Derivation Rule for that. But the issue is how will I configure it in ap configuration side? I created aaa profiles for each vlan.

I want single ssid and single ap group. The vap profile of the ssid will include all the vlans. But how can I associate all of the user roles with one ssid profile in one ap group. Is this such a thing possible or neccesarry? Any help will be appreciated!

Try to use the attribute FilterID instead.

I think private-group-id attribute needs to be used in conjunction with a couple of others to work properly.

Right now my friend who can configure radius is not avaible. After I created the post I monitored the traffic between controller and radius. The Radius-Access-Accept message contains user-name credential. I changed the attribute to user-name and the magic worked!  I see that private-group-id is not working properly. I will investigate how can I use it for future use:). And I will try the FilterID later.

Is there maximum limit for server-derivation rules in numbers?

The private-group-id is used for for vlan derivation.

http://www.arubanetworks.com/techdocs/ArubaOS_63_Web_Help/Web_Help_Index.htm#ArubaFrameStyles/Network_Parameters/About_VLAN_Assignments.htm#network_parameters_2319977163_1017188

I don't know if there is a limit on the number of server rules you can have, but wouldn't want it to be too large.

Thank you for your answers. It really helped me.

Your welcome.  Happy to help.

:smileyhappy:

Try returning the Aruba specific VSA aruba-user-role and you don't even need to configure the server rules.

When the controller receives the aruba-user-role attribute it automatically puts the user into that role.