Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

new AAA profile

This thread has been viewed 2 times

  • 1.  new AAA profile

    Posted Jul 13, 2012 08:51 AM

    Hi,

     

    Could help me how to configure  a AAA profile in which RADIUS server decides the client VLAN based on active deirectory membership.

     

     

    Thanks

     



  • 2.  RE: new AAA profile

    Posted Jul 13, 2012 11:33 AM

    Are you looking for Vendor Specific Attributes? 

     

     

    VENDOR        Aruba        14823

     

    ATTRIBUTE        Aruba-User-Role                1        String                Aruba

    ATTRIBUTE        Aruba-User-Vlan                2        Integer                Aruba

    ATTRIBUTE        Aruba-Priv-Admin-User    3        Integer                Aruba

    ATTRIBUTE        Aruba-Admin-Role                 4        String                Aruba

     

    # Added in 2.4.1.0 (June 2005)

     

    ATTRIBUTE  Aruba-Essid-Name     5        String        Aruba

    ATTRIBUTE  Aruba-Location-Id        6        String        Aruba

     

    # Added in 2.5.3.0 (July 2006)

     

    ATTRIBUTE  Aruba-Port-Identifier        7        String                Aruba



  • 3.  RE: new AAA profile

    Posted Jul 13, 2012 05:20 PM

    What is your RADIUS server?    The VLAN decision based up on AD group membership will be done by the RADIUS server.   On the Aruba side, you can configure the server group to take action and assign a VLAN based upon RADIUS attributes returned.   This requires you to set the return attribute on the RADIUS side.   If you are using IAS/NPS you'll need to use a vendor supplied custom attribute (listed below).

     

    On the Aruba side........For example:

    aaa server-group "radius-group"
      set vlan condition "Aruba-User-Vlan" equals "x" set-value x position 1

     

    Or (will set the VLAN to whatever the value is, rather than specificy individual VLANs)

    aaa server-group "radius-group"
      set vlan condition "Aruba-User-Vlan" value-of position 1

     

     

    Aruba Custom VSAs (for NPS or other RADIUS server that does not have Aruba RADIUS dictionary).

     

    Vendor Code - 14823

     

    Value

    Attribute Number

    Type

    Aruba-User-Role

    1

    String

    Aruba-User-Vlan

    2

    Integer

    Aruba-Priv-Admin-User

    3

    Integer

    Aruba-Admin-Role

    4

    String

    Aruba-Essid-Name

    5

    String

    Aruba-Location-Id

    6

    String

    Aruba-Port-Id 

    7

    String

    Aruba-Template-User    

    8

    String

    Aruba-Named-User-Vlan   

    9

    String

     

     

    Aruba-Priv-Admin-User        Non-negative value will give root/enable access



  • 4.  RE: new AAA profile

    Posted Jul 13, 2012 11:45 PM

    Thanks very much. Suppose the secnario is like this, single ssid, two categories of users,1) Domain users whose computers are part AD, they will use domain username to connect. Other category is user devices they are not part of AD, they also connect using their AD username, but force to a specific vlan based on the MAC address. Is this possible to do.