Wireless Access

I just started my job at this position, and pretty much the newbi to Aruba devices. Now we are rolling out nearly 300 mobile devices. so few more APs (AP-135) had been added into the network, also the AOS has been upgraded to 6.1.0.0. Now I'm having problems with VLAN mapping through NPS (windows 2008 R2 ent).

Before my actual questions, I would start with a big picture of our site. Within the network, there are two IP ranges (student: 10.1.0.0/22 and staff: 10.2.0.0/23), the routing is done by a cisco router. A 3400 MC and few 105 and 65 APs are connected to the switches through the ports under staff vlan. The NPS has been set up to allow those user/computer from wirelessuser/wirelesscomputer to access the WLAN, the authentication is PEAP + mschapv2, with validate server certificate enabled.

My plan is to have one SSID and mapping the users into two groups/VLANs (students and staff). I have tried on the NPS by creating a new policy with Vendor Specific Attribute which will then be used for grouping/VLAN mapping. However, the staff user is working fine, but the student user won't go furhte after authentication (after accepting the aruba secure login cert actually), it just keep waiting for the IP setting.

Also, the connection to the controller just been cut off and all the WLAN just vanished every time when I tried to create another vlan by putting "vlan 2", and I had to restart the controller. but when I put "vlan 3" or vlan 4" .. it just fine. the setting for the physical ports looks weird too. "switchport access vlan 2" is there, and tried to put "no switchport access vlan 2", error!!! indicating vlan 2 is not existing : (

I would deeply appreciate if you guys can provide some hints to me for these odd things. I'll upload the whole config later. cheers.

any hints? please

I would suggest you to upgrade to the latest 6.1.3.x firmware and check whether you are experiencing the same. If so I then you should contact the support because it is not normal.

Regarding the role derivation you may try to enable the logging and check if you see the derivation happen in the correct way. You can configure it in the CLI - config levele debugging

You can check the logs with "show log ..."

thanks zshusveti, we used to run 5.x version, when the guy before me tried to upgrade it to the latest one it just won't work as the upgrade process never completed properly everytime (this is what the guy told me) so he just put 6.1 there.

this is how I will do to approach those condition :

- Create 2 VLAN, each for user-group

- Create DHCP Pool, or let internal network do the DHCP pool

- On controller, set port as trunk, with native VLAN and allowed VLAN (if using external DHCP)

- On controller, just set port as access, enable source-nat for those VLAN/IP (if using internal DHCP)

- Create user role (for staff) define the VLAN-ID that will be used for this role

- Create or define Radius server that will be used. InternalDB or AD

- For Internal, create user inside database with Role as defined befor.

- For external, define the attribute to use for user derivation (Filter-ID, or others)

For internal, 

- Create AP Group with 801.X auth (username and password)

- Assign internal DB

- Assign default VLAN on this APGROUP  to the student VLAN

- Set default role (set different role, try using guest)

- Staff will be assigned different VLAN automatically. as stated on their role.

For External:

- Create AP Group with 801.X auth (username and password)

- Set and assign Radius server

- On Radius server, create server rules with attributes states on the DB 

- Assign default VLAN doe this AP Group to the student VLAN

- Set default role (set different role, try using guest)

- Staff will be assigned different VLAN automatically.

Hope you can get what I mean.

Goodluck!

forgot to attached the picture related to it

thanks slickers, I'll give a try.