Controllerless Networks

Hi there,

I have an iap-205 (soon to be more, but I focus on one for the moment).

I am trying to get my devices into several vlans, using a single SSID, in the simplest way possible. I have some devices that can't do 802.1x so I'd prefer not to use it, sticking to WPA-PSK.

The GUI suggests you can simply match "mac address" for vlan assignment. It just doesn't work. I get the feeling it's not implemented this way, but I need to know for sure.

What's the simplest alternative? Using the internal radius server and make it use the mac address?

you can assign different role based on MAC addresses for a PSK based SSID.


 


------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
------------------------------

Original Message:
Sent: Jan 22, 2023 07:26 AM
From: Erik Slagter
Subject: Simple vlan assignment using mac address

Hi there,

I have an iap-205 (soon to be more, but I focus on one for the moment).

I am trying to get my devices into several vlans, using a single SSID, in the simplest way possible. I have some devices that can't do 802.1x so I'd prefer not to use it, sticking to WPA-PSK.

The GUI suggests you can simply match "mac address" for vlan assignment. It just doesn't work. I get the feeling it's not implemented this way, but I need to know for sure.

What's the simplest alternative? Using the internal radius server and make it use the mac address?

It looks to me your example is not exactly what I am after - matching on mac address, but I guess you're saying I'll have to use roles for this to work. It's cumbersome, but I will try.

I am asking this because I am using a lot of simple microcontrollers that need to associate. In theory they'd be able to do WPA-enterprise too, but I fear that will take too much memory, so I think this will have to go on a WPA-personal SSID. As I'd like to have a minimum of SSID's, I want other devices to use it too, so I guess the only way to differentiate would be the mac address.

I am already using a RADIUS server for another SSID (which is WPA-enterprise). If there is a way to connect the RADIUS server to the WPA-personal SSID, I could probably solve this by having the RADIUS server look at the mac address, but I don't think Aruba InstantOS supports using a RADIUS server on a WPA -personal SSID, right?
Original Message:
Sent: Jan 22, 2023 04:07 PM
From: ariyap
Subject: Simple vlan assignment using mac address

you can assign different role based on MAC addresses for a PSK based SSID.


 


------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jan 22, 2023 07:26 AM
From: Erik Slagter
Subject: Simple vlan assignment using mac address

Hi there,

I have an iap-205 (soon to be more, but I focus on one for the moment).

I am trying to get my devices into several vlans, using a single SSID, in the simplest way possible. I have some devices that can't do 802.1x so I'd prefer not to use it, sticking to WPA-PSK.

The GUI suggests you can simply match "mac address" for vlan assignment. It just doesn't work. I get the feeling it's not implemented this way, but I need to know for sure.

What's the simplest alternative? Using the internal radius server and make it use the mac address?

yes generally i believe PSK based SSIDs dont support  RADIUS authentication.
i have tried it with user role and PSK and you can easily put them in different user roles . The benefit of this approach is that, you can add other access policies to it. but if you want a simpler approach, then you ca add it at VLAN tab of the WLAN configuration, as shown here.



------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
------------------------------

Original Message:
Sent: Jan 23, 2023 09:48 AM
From: Erik Slagter
Subject: Simple vlan assignment using mac address

It looks to me your example is not exactly what I am after - matching on mac address, but I guess you're saying I'll have to use roles for this to work. It's cumbersome, but I will try.

I am asking this because I am using a lot of simple microcontrollers that need to associate. In theory they'd be able to do WPA-enterprise too, but I fear that will take too much memory, so I think this will have to go on a WPA-personal SSID. As I'd like to have a minimum of SSID's, I want other devices to use it too, so I guess the only way to differentiate would be the mac address.

I am already using a RADIUS server for another SSID (which is WPA-enterprise). If there is a way to connect the RADIUS server to the WPA-personal SSID, I could probably solve this by having the RADIUS server look at the mac address, but I don't think Aruba InstantOS supports using a RADIUS server on a WPA -personal SSID, right?
Original Message:
Sent: Jan 22, 2023 04:07 PM
From: ariyap
Subject: Simple vlan assignment using mac address

you can assign different role based on MAC addresses for a PSK based SSID.


 


------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jan 22, 2023 07:26 AM
From: Erik Slagter
Subject: Simple vlan assignment using mac address

Hi there,

I have an iap-205 (soon to be more, but I focus on one for the moment).

I am trying to get my devices into several vlans, using a single SSID, in the simplest way possible. I have some devices that can't do 802.1x so I'd prefer not to use it, sticking to WPA-PSK.

The GUI suggests you can simply match "mac address" for vlan assignment. It just doesn't work. I get the feeling it's not implemented this way, but I need to know for sure.

What's the simplest alternative? Using the internal radius server and make it use the mac address?

Thx. Actually I tried this and it didn't work, client was always assigned to the default vlan. Maybe I am doing it wrong somehow.
Original Message:
Sent: Jan 23, 2023 04:56 PM
From: ariyap
Subject: Simple vlan assignment using mac address

yes generally i believe PSK based SSIDs dont support  RADIUS authentication.
i have tried it with user role and PSK and you can easily put them in different user roles . The benefit of this approach is that, you can add other access policies to it. but if you want a simpler approach, then you ca add it at VLAN tab of the WLAN configuration, as shown here.



------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jan 23, 2023 09:48 AM
From: Erik Slagter
Subject: Simple vlan assignment using mac address

It looks to me your example is not exactly what I am after - matching on mac address, but I guess you're saying I'll have to use roles for this to work. It's cumbersome, but I will try.

I am asking this because I am using a lot of simple microcontrollers that need to associate. In theory they'd be able to do WPA-enterprise too, but I fear that will take too much memory, so I think this will have to go on a WPA-personal SSID. As I'd like to have a minimum of SSID's, I want other devices to use it too, so I guess the only way to differentiate would be the mac address.

I am already using a RADIUS server for another SSID (which is WPA-enterprise). If there is a way to connect the RADIUS server to the WPA-personal SSID, I could probably solve this by having the RADIUS server look at the mac address, but I don't think Aruba InstantOS supports using a RADIUS server on a WPA -personal SSID, right?
Original Message:
Sent: Jan 22, 2023 04:07 PM
From: ariyap
Subject: Simple vlan assignment using mac address

you can assign different role based on MAC addresses for a PSK based SSID.


 


------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jan 22, 2023 07:26 AM
From: Erik Slagter
Subject: Simple vlan assignment using mac address

Hi there,

I have an iap-205 (soon to be more, but I focus on one for the moment).

I am trying to get my devices into several vlans, using a single SSID, in the simplest way possible. I have some devices that can't do 802.1x so I'd prefer not to use it, sticking to WPA-PSK.

The GUI suggests you can simply match "mac address" for vlan assignment. It just doesn't work. I get the feeling it's not implemented this way, but I need to know for sure.

What's the simplest alternative? Using the internal radius server and make it use the mac address?

what was the exact string you were trying to match?

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
------------------------------

Original Message:
Sent: Jan 24, 2023 09:55 AM
From: Erik Slagter
Subject: Simple vlan assignment using mac address

Thx. Actually I tried this and it didn't work, client was always assigned to the default vlan. Maybe I am doing it wrong somehow.
Original Message:
Sent: Jan 23, 2023 04:56 PM
From: ariyap
Subject: Simple vlan assignment using mac address

yes generally i believe PSK based SSIDs dont support  RADIUS authentication.
i have tried it with user role and PSK and you can easily put them in different user roles . The benefit of this approach is that, you can add other access policies to it. but if you want a simpler approach, then you ca add it at VLAN tab of the WLAN configuration, as shown here.



------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jan 23, 2023 09:48 AM
From: Erik Slagter
Subject: Simple vlan assignment using mac address

It looks to me your example is not exactly what I am after - matching on mac address, but I guess you're saying I'll have to use roles for this to work. It's cumbersome, but I will try.

I am asking this because I am using a lot of simple microcontrollers that need to associate. In theory they'd be able to do WPA-enterprise too, but I fear that will take too much memory, so I think this will have to go on a WPA-personal SSID. As I'd like to have a minimum of SSID's, I want other devices to use it too, so I guess the only way to differentiate would be the mac address.

I am already using a RADIUS server for another SSID (which is WPA-enterprise). If there is a way to connect the RADIUS server to the WPA-personal SSID, I could probably solve this by having the RADIUS server look at the mac address, but I don't think Aruba InstantOS supports using a RADIUS server on a WPA -personal SSID, right?
Original Message:
Sent: Jan 22, 2023 04:07 PM
From: ariyap
Subject: Simple vlan assignment using mac address

you can assign different role based on MAC addresses for a PSK based SSID.


 


------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jan 22, 2023 07:26 AM
From: Erik Slagter
Subject: Simple vlan assignment using mac address

Hi there,

I have an iap-205 (soon to be more, but I focus on one for the moment).

I am trying to get my devices into several vlans, using a single SSID, in the simplest way possible. I have some devices that can't do 802.1x so I'd prefer not to use it, sticking to WPA-PSK.

The GUI suggests you can simply match "mac address" for vlan assignment. It just doesn't work. I get the feeling it's not implemented this way, but I need to know for sure.

What's the simplest alternative? Using the internal radius server and make it use the mac address?

Not exactly an answer but this may be interesting for future google'ers.

It may be possible to use mac authentication with the internal (role based) authenticator, but I decided to try something else and it works!

I configured an SSID type "wpa personal" (so no user names used, nor certificates...) and checked the box "mac authentication". I was expecting, like I've seen on several other ap's for personal/small business use, a box to appear where you can configure mac addresses to be allowed.

Instead, you get the same options as when using wpa enterprise, where you can select internal or external radius server. I selected my already working radius server and watched wat happened. Apparently the mac address is sent to radius in several TLV's, for instance "Calling-Station-Id" and "User-Name". It's also in the "User-Password" TLV. I made a very simple entry in the radius server where  username = password = mac address (without delimiter), assign vlan tag id and works!

I am considering this for all my SSID's because strictly I don't need "enterprise" (username, certificates etc.) I just want different clients to end up in different vlans and this is exactly what it does!
Original Message:
Sent: Jan 24, 2023 04:58 PM
From: Ariya Parsamanesh
Subject: Simple vlan assignment using mac address

what was the exact string you were trying to match?

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jan 24, 2023 09:55 AM
From: Erik Slagter
Subject: Simple vlan assignment using mac address

Thx. Actually I tried this and it didn't work, client was always assigned to the default vlan. Maybe I am doing it wrong somehow.
Original Message:
Sent: Jan 23, 2023 04:56 PM
From: ariyap
Subject: Simple vlan assignment using mac address

yes generally i believe PSK based SSIDs dont support  RADIUS authentication.
i have tried it with user role and PSK and you can easily put them in different user roles . The benefit of this approach is that, you can add other access policies to it. but if you want a simpler approach, then you ca add it at VLAN tab of the WLAN configuration, as shown here.



------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jan 23, 2023 09:48 AM
From: Erik Slagter
Subject: Simple vlan assignment using mac address

It looks to me your example is not exactly what I am after - matching on mac address, but I guess you're saying I'll have to use roles for this to work. It's cumbersome, but I will try.

I am asking this because I am using a lot of simple microcontrollers that need to associate. In theory they'd be able to do WPA-enterprise too, but I fear that will take too much memory, so I think this will have to go on a WPA-personal SSID. As I'd like to have a minimum of SSID's, I want other devices to use it too, so I guess the only way to differentiate would be the mac address.

I am already using a RADIUS server for another SSID (which is WPA-enterprise). If there is a way to connect the RADIUS server to the WPA-personal SSID, I could probably solve this by having the RADIUS server look at the mac address, but I don't think Aruba InstantOS supports using a RADIUS server on a WPA -personal SSID, right?
Original Message:
Sent: Jan 22, 2023 04:07 PM
From: ariyap
Subject: Simple vlan assignment using mac address

you can assign different role based on MAC addresses for a PSK based SSID.


 


------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jan 22, 2023 07:26 AM
From: Erik Slagter
Subject: Simple vlan assignment using mac address

Hi there,

I have an iap-205 (soon to be more, but I focus on one for the moment).

I am trying to get my devices into several vlans, using a single SSID, in the simplest way possible. I have some devices that can't do 802.1x so I'd prefer not to use it, sticking to WPA-PSK.

The GUI suggests you can simply match "mac address" for vlan assignment. It just doesn't work. I get the feeling it's not implemented this way, but I need to know for sure.

What's the simplest alternative? Using the internal radius server and make it use the mac address?

In my experience the operator for this VLAN assignment rule needs to be starts-with, rather than contains.

There is a limit of 50 rules, per SSID, though I believe. So if you had a very large number of MAC addresses then this really does require an external RADIUS server using MAC-auth as you have suggested @Erik Slagter.​
Original Message:
Sent: Jan 23, 2023 04:56 PM
From: ariyap
Subject: Simple vlan assignment using mac address

yes generally i believe PSK based SSIDs dont support  RADIUS authentication.
i have tried it with user role and PSK and you can easily put them in different user roles . The benefit of this approach is that, you can add other access policies to it. but if you want a simpler approach, then you ca add it at VLAN tab of the WLAN configuration, as shown here.



------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jan 23, 2023 09:48 AM
From: Erik Slagter
Subject: Simple vlan assignment using mac address

It looks to me your example is not exactly what I am after - matching on mac address, but I guess you're saying I'll have to use roles for this to work. It's cumbersome, but I will try.

I am asking this because I am using a lot of simple microcontrollers that need to associate. In theory they'd be able to do WPA-enterprise too, but I fear that will take too much memory, so I think this will have to go on a WPA-personal SSID. As I'd like to have a minimum of SSID's, I want other devices to use it too, so I guess the only way to differentiate would be the mac address.

I am already using a RADIUS server for another SSID (which is WPA-enterprise). If there is a way to connect the RADIUS server to the WPA-personal SSID, I could probably solve this by having the RADIUS server look at the mac address, but I don't think Aruba InstantOS supports using a RADIUS server on a WPA -personal SSID, right?
Original Message:
Sent: Jan 22, 2023 04:07 PM
From: ariyap
Subject: Simple vlan assignment using mac address

you can assign different role based on MAC addresses for a PSK based SSID.


 


------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jan 22, 2023 07:26 AM
From: Erik Slagter
Subject: Simple vlan assignment using mac address

Hi there,

I have an iap-205 (soon to be more, but I focus on one for the moment).

I am trying to get my devices into several vlans, using a single SSID, in the simplest way possible. I have some devices that can't do 802.1x so I'd prefer not to use it, sticking to WPA-PSK.

The GUI suggests you can simply match "mac address" for vlan assignment. It just doesn't work. I get the feeling it's not implemented this way, but I need to know for sure.

What's the simplest alternative? Using the internal radius server and make it use the mac address?

It's not a "very large number" but I find configuring the Radius server easier than the InstantOS web UI. It's just a file I can edit using VI.
Original Message:
Sent: Jan 30, 2023 08:40 PM
From: ProbeRequest
Subject: Simple vlan assignment using mac address

In my experience the operator for this VLAN assignment rule needs to be starts-with, rather than contains.

There is a limit of 50 rules, per SSID, though I believe. So if you had a very large number of MAC addresses then this really does require an external RADIUS server using MAC-auth as you have suggested @Erik Slagter.​
Original Message:
Sent: Jan 23, 2023 04:56 PM
From: ariyap
Subject: Simple vlan assignment using mac address

yes generally i believe PSK based SSIDs dont support  RADIUS authentication.
i have tried it with user role and PSK and you can easily put them in different user roles . The benefit of this approach is that, you can add other access policies to it. but if you want a simpler approach, then you ca add it at VLAN tab of the WLAN configuration, as shown here.



------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jan 23, 2023 09:48 AM
From: Erik Slagter
Subject: Simple vlan assignment using mac address

It looks to me your example is not exactly what I am after - matching on mac address, but I guess you're saying I'll have to use roles for this to work. It's cumbersome, but I will try.

I am asking this because I am using a lot of simple microcontrollers that need to associate. In theory they'd be able to do WPA-enterprise too, but I fear that will take too much memory, so I think this will have to go on a WPA-personal SSID. As I'd like to have a minimum of SSID's, I want other devices to use it too, so I guess the only way to differentiate would be the mac address.

I am already using a RADIUS server for another SSID (which is WPA-enterprise). If there is a way to connect the RADIUS server to the WPA-personal SSID, I could probably solve this by having the RADIUS server look at the mac address, but I don't think Aruba InstantOS supports using a RADIUS server on a WPA -personal SSID, right?
Original Message:
Sent: Jan 22, 2023 04:07 PM
From: ariyap
Subject: Simple vlan assignment using mac address

you can assign different role based on MAC addresses for a PSK based SSID.


 


------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jan 22, 2023 07:26 AM
From: Erik Slagter
Subject: Simple vlan assignment using mac address

Hi there,

I have an iap-205 (soon to be more, but I focus on one for the moment).

I am trying to get my devices into several vlans, using a single SSID, in the simplest way possible. I have some devices that can't do 802.1x so I'd prefer not to use it, sticking to WPA-PSK.

The GUI suggests you can simply match "mac address" for vlan assignment. It just doesn't work. I get the feeling it's not implemented this way, but I need to know for sure.

What's the simplest alternative? Using the internal radius server and make it use the mac address?