Wireless Access

New Contributor

User Vlan Assignment

We have an aruba controller that we need to integrate it with a radius server for dot1x authentication and user vlan assignment. The Radius server was configure to send MSFT Attributes but the tunnel private group id value is different from the desired vlan for aruba users ( it's intended for other device to use it) so we decided to use VSA (Aruba-User-Vlan) and configured the radius server to do so. Our problem is that when the controller sees both MSFT and VSA it always uses the MSFT value for users Vlan. So what is the priority that the controller uses in assigning vlans to users and is there a higher priority attribute other than MSFT that we can use.

Guru Elite

Re: User Vlan Assignment

You should only have one set of attributes.


| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
New Contributor

Re: User Vlan Assignment

The AAA servers we have are already using MSFT attributes as i mentioned is there a way we can make the controller ignore the received MSFT attributes or use any method of higher precedence over it.

Super Contributor I

Re: User Vlan Assignment


In the user guide, if you consult the "VLAN Derivation Priorities for VLAN types" table you'll see that the only thing that can override Tunnel-Group-Id are DHCP options rules.  That is of course a dicey proposition as it involves clients interacting with a DHCP server from a VLAN which will be immediately yanked out from under them during the DHCP negotiation.


(The manual actually contradicts itself above this chart by saying that Aruba-User-VLAN overrides everything else.)


Your RADIUS server is deficient if it cannot be configured to adjust or omit the Tunnel-Group-Id based on criteria that identify the Aruba controller NAS.  I wouldn't bet on it but you might be able to play some tricks with using vlan names instead of numbers in this field; I haven't tried that and it may involve adjusting the other NAS that are sharing this RADIUS server.  Your best (and least hinky) option might be to fire up a FreeRADIUS instance, define your central RADIUS server as a home server, point the controllers at FreeRADIUS, and massage the response in the post-proxy or post-auth section before it gets back to the controllers.


Search Airheads
Showing results for 
Search instead for 
Did you mean: