Get the Reddit app
A place to discuss HPE Aruba Networking technology and solutions.
Looking for info on Dynamic VLAN Assignment
Currently have 2 ubiquity AC-Pro but am looking to move out of the ubiquity brand. I'm looking for indoor and outdoor APs that can be managed and can support VLAN Steering or Dynamic VLAN Assignment for user whether they are outdoors or not without more equipment (other than the APs). Aruba Instant On seems to have a method of dynamically assigning VLANs using the APs themselves without the need of a controller. If I were to use AP22 and AP17, could I get this to work or is there more I will need to setup in order to get this working?
Btw I have a cisco rv340 router connected to a cisco 3750x that supports PoE.
Just checking to see if anyone can provide more info on the subject before I make a move to Aruba. Thanks!
By continuing, you agree to our User Agreement and acknowledge that you understand the Privacy Policy .
Enter the 6-digit code from your authenticator app
You’ve set up two-factor authentication for this account.
Enter a 6-digit backup code
Create your username and password.
Reddit is anonymous, so your username is what you’ll go by here. Choose wisely—because once you get a name, you can’t change it.
Reset your password
Enter your email address or username and we’ll send you a link to reset your password
Check your inbox
An email with a link to reset your password was sent to the email address associated with your account
Choose a Reddit account to continue
- Communities
- Community Home
- Topic Thread
Instant On - Wired
- Discussion 1.7K
- Members 678
802.1X Authentication and Dynamic VLAN Assignment with Aruba 1960 switch
Pr49 06-02-2023 01:13 pm, [email protected] 06-19-2024 12:25 pm.
[email protected] 06-24-2024 04:00 AM
1. 802.1x authentication and dynamic vlan assignment with aruba 1960 switch.
I'm testing with Radius authentication (NPS server + AD) and dynamic VLAN assignment for a wired network. User authentication has so far failed on my client machine. I double-checked, and the user credentials are correct. My switch's VLAN settings are provided below. Can somebody assist me if I missed something or if the configurations need to be corrected?
> VLAN Created VLAN 20 and 30
> VLAN interface configuration Tagged VLANs: 20,30 Untagged VLAN: 1
> Radius configuration Enabled "802.1x authentication mode" Enabled "802.1x accounting mode"
Radius Server IP: 192.168.1.10 Authentication port: 1812 Accounting port: 1813 Server priority: 1 Secret: ########
> Port access control: Enabled "Admin mode"
> Port configuration (interfaces) Control mode: Auto Enabled "VLAN assignment"
PS: This is not a MAC-based authentication.
2. RE: 802.1X Authentication and Dynamic VLAN Assignment with Aruba 1960 switch
Hi, do you have a solution for this topic
3. RE: 802.1X Authentication and Dynamic VLAN Assignment with Aruba 1960 switch
Yes, I have found a solution for this issue. Working with Clearpass I have added a radius attribute in the reply: Avenda-Tag-Id (1) = 0.
So the total response in the profile to allow access and put the port in VLAN 10 for example is:
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-ID = "10"
Avenda-Tag-Id (1) = 0
You can of course add other attributes like timeout etc.
The same answer in a similar thread: https://community.arubainstanton.com/discussion/aruba-instant-on-1960-8021x-radius-clearpass-port-access-control.
If you have any questions, just let me know.
------------------------------ Peter Neyt ------------------------------ Original Message Original Message: Sent: 06-13-2024 06:25 AM From: [email protected] Subject: 802.1X Authentication and Dynamic VLAN Assignment with Aruba 1960 switch
New Best Answer
- Privacy policy
- Terms of service
Log in to ask questions, share your expertise, or stay connected to content. Don’t have a login? Join now.
- Community Home
- Topic Thread
Wireless Access
- Discussion 121K
- Library 3.2K
- Members 3.1K
Dynamic vlan assignment with radius and Aruba Controller
1. dynamic vlan assignment with radius and aruba controller.
I would like to configure and understand how to dynamically assign vlan on one ssid by radius attribute ? With other vendor this is more easy. My environment is formed by 7240 controller and access point 135 .
Who can help me ? i don' t find a document that describe this solution.
2. RE: Dynamic vlan assignment with radius and Aruba Controller
3. RE: Dynamic vlan assignment with radius and Aruba Controller
MICROSOFT IAS
4. RE: Dynamic vlan assignment with radius and Aruba Controller
5. re: dynamic vlan assignment with radius and aruba controller.
Another way you can do this that you assign different role using that same logic I mentioned and then assign the VLAN to the role
6. RE: Dynamic vlan assignment with radius and Aruba Controller
see also Aruba-User-Vlan VSA as mentioned here by clembo
http://community.arubanetworks.com/t5/Unified-Wired-Wireless-Access/Assigning-users-different-vlan-subnet-based-on-AD-group/m-p/61082/highlight/true#M2011
7. RE: Dynamic vlan assignment with radius and Aruba Controller
Adding to the reply by Victor here are steps to configure the RAS policy for dynamic VLAN assignment.
Select New policy and give a name ( DemoPolicy)
Select Wireless :
Select the user group to map this policy (Manager is a group)
Select Grant RAS and click on Edit profile
Select Advanced Tab and select Add
Select Attribute name as either Filterid or "Vendor specific". to make your life simple select "Vendor Specific" and click on Add.
Select option, "Enter Vendor-code" the value for Aruba is 14823
Select option "It Confirms" and select "Configure Attributes"
Select the appropriate value and type as shown bellow.
Here for returning VLAN id we should select attribute number as 2 and format as Integer (Decimal) and finally enter the vlan id as the Attribute value.
The server side configuration is done.
Now we should configure the server group to assign the return attribute ,
Another way is, map a VLAN to the user role and configure the IAS to return the role name
How to map a VLAN to a Role:
Hope got more clarity,
Please feel free for any further help on this,
Have fun with Aruba :)
8. RE: Dynamic vlan assignment with radius and Aruba Controller
i explain better :
In my environment i have different type of client, with different privilege on network, this type of client reside on many different campus (different ap group), i have many vlan pool for each campus. The radius should return the value of vlan pool not the vlan. With the configuration shown i understand that is not very flexible...
For example on cisco wlc i only enable a flag to allow aaa override.
9. RE: Dynamic vlan assignment with radius and Aruba Controller
The raiuds server sent back to controller the vlan pool, and is not flexible configure a static vlan.
10. RE: Dynamic vlan assignment with radius and Aruba Controller
Aruba supports this feature,
You can return the VLAN name through RADIUS attribute and you can have a VLAN pool with that name in the controller.
for your ref :
I just configured an attribute to return value test.
I have configured the server group to assign a VLAN pool ( test ).
A VLAN pool with VLANs 11 and 20 :
An user got VLAN assignment through RADIUS .
Hope it is prooved :)
Please feel free for any further help on this.
11. RE: Dynamic vlan assignment with radius and Aruba Controller
Ok, i must create a rule for each vlan pool ?? is not flexible..
12. RE: Dynamic vlan assignment with radius and Aruba Controller
Hi friend ,
Yes, we have to create policy for each user group.
Can you share your requirement so that I can give a best solution . I believe Aruba as flexible as other vendors in the market.
13. RE: Dynamic vlan assignment with radius and Aruba Controller Best Answer
Spillo4000,
Let's understand what you are trying to do:
1. - You have users that are authenticating via 802.1x
2. - You want them placed in a different VLAN or VLAN pool depending on what controller they are connected to?
If you only want to do those two things above, you would only need to:
- Create a VLAN Name or pool on the master controller ( http://www.arubanetworks.com/techdocs/ArubaOS_64_Web_Help/Web_Help_Index.htm#ArubaFrameStyles/Network_Parameters/Configuring_VLANs.htm)
- Assign that VLAN name to your Virtual AP instead of a VLAN number
- Define the value of that VLAN name/pool on each controller; the VLAN name assigned to each Virtual AP is global, but the VLAN numbers assigned to each name is local for each controller
You would be able to do it above without returning a radius attribute.
If the above is not what you want, please tell us in detail how it is accomplished with the combination of Cisco and IAS and we can give you the Aruba equivalent.
14. RE: Dynamic vlan assignment with radius and Aruba Controller
each rule for each vlan pool, is tedious..
15. RE: Dynamic vlan assignment with radius and Aruba Controller
If you have more than one pool, how do you indicate what user gets into what pool if you don't have rules? What decides who gets what pool? A rule has to be involved...
16. RE: Dynamic vlan assignment with radius and Aruba Controller
The user group mapped to a vlan pool name is configured on radius, i repeat for example on cisco wlc the vlan pool name must match from radius to controller, on controller i put only a flag to trust the vlan pool name send from radius. On aruba as well as configure radius i must create one server rule for every vlan pool, i understand correctly ? for this on my opinion it seems to be tedius.
17. RE: Dynamic vlan assignment with radius and Aruba Controller
on my server group i must create many server rule, one for each vlan pool.
18. RE: Dynamic vlan assignment with radius and Aruba Controller Best Answer
@Spillo4000 wrote: on my server group i must create many server rule, one for each vlan pool.
You do not have to create any server rules on the server. You just have to return the "Aruba-Named-User-Vlan" VSA with the name of the pool from the radius server. The client will automatically be placed into the named VLAN/Pool. Aruba Radius VSAs override any rules in a server group and they make server group rules unnecessary. As long on the radius server side you are sending back the "Aruba-Named-User-Vlan" attribute with the name of the pool, the client will be placed into that pool without creating rules on the Aruba controller side:
http://www.arubanetworks.com/techdocs/ArubaOS_64_Web_Help/Web_Help_Index.htm#ArubaFrameStyles/AAA_Servers/Configuring_Servers.htm
19. RE: Dynamic vlan assignment with radius and Aruba Controller
thank you and accept the solution.
New Best Answer
- Environmental Citizenship
- Support Services
- Contact Support
- Training & Certification
- Software Downloads
- Licensing Login
- Find a Partner
- Become a Partner
- Partner Ready for Networking
- Technology Partner Programs
- Privacy policy
- Terms of service
© Copyright 2024 Hewlett Packard Enterprise Development LP All Rights Reserved.
IMAGES
COMMENTS
In the CLI (host)(config) # interface vlan < id> ip address < address> < netmask> Configuring a VLAN to Receive a Dynamic Address. In a branch office, you can connect a controller to an uplink switch or server that dynamically assigns IP addresses to connected devices. For example, you can connect the controller to a DSL or cable modem, or a broadband remote access server (BRAS).
Table 1: IP and VLAN Assignment for WLAN SSID Clients Client IP Assignment Client VLAN Assignment; Virtual Controller assigned. If the Virtual Controller assigned is selected for client IP assignment, the Virtual Controller creates a private subnet and VLAN on the IAP for the wireless clients. The network address translation for all client traffic that goes out of this interface is carried out ...
Configuring VLAN Assignment Rule. To configure VLAN assignment rules for an SSID profile: In the Aruba Central app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. Click the Config icon.
A video tutorial to address Dynamic VLAN assignment using the Aruba Instan access points
We are using a mix of IAP-315 and IAP-325 all on ArubaOS 8.6.0.6 without Aruba Central or another controller. Thanks in advance. Locked post. New comments cannot be posted. ... Yes, the radius server provides the attributes. the dynamic vlan assignment rule is "Assign VLAN returned as value of User-Vlan".
Dynamic VLAN assignment. 1. Dynamic VLAN assignment. We've come from Extreme to Aruba and recently purchased several AP505s. We would like to set up a dynamic vlan assignment based on a MPSK Local passphrase. I believe I've got most of the settings correct, but when I try to connect, obtaining an IP address from our external DHCP server fails.
1. Unable to configure dynamic VLAN assignment on IAP. I had an SSID using PSK, and now I want to use it with WPA2 Enterprise. I was able to change the Key Management from WPA2 Personal to WPA2 Enterprise, and set the authentication servers. But when I want to change Client VLAN Assignment from Default to Dynamic and click on Apply, the screen ...
If a large number of clients need to be in the same subnet, you can select this option to configure VLAN pooling. VLAN pooling allows random assignment of VLANs from a pool of VLANs to each client connecting to the SSID. Dynamic —Assigns the VLANs dynamically from a DHCP server. Native VLAN —Assigns the client VLAN is assigned to the native ...
The clearpass guy says he is passing the Aruba-User-Vlan . here is what I have configured in the IAP: Assign Vlan returned as vlaue of Aruba-User-Vlan. Default VLAN: 190 . when I connect up with this setting I look in the controller and show associations and the client has vlan 190 but doesn't get an ip address.
The Allowed VLAN refers to the VLANs carried by the port in Access mode. If the Client IP Assignment is set to Network Assigned, specify a value for Native VLAN. A VLAN that does not have a VLAN ID tag in the frames is referred to as Native VLAN. You can specify a value within the range of 1-4093.
I am wondering where can I read about dynamic VLAN assignment attributes, I mean which one is for what, because there are bunch of them and I'm only aware of few of them, also, I couldn't find any information in the internet. Thanks.
we have clearpass for 80211x auth with an enforcement policy which links to two profiles. the attributes match a staff and pupil group from AD and each attribute links to 1 profile each. currently they both map to the same vlan. I want to separate out the staff to a new vlan so should be a matter of just changing the vlan in clearpass.
3. RE: Radius Server Assigned Vlans. Similar Situation: If InstantOn supports Dynamic VLAN with Radius, you would have a lot of new customers. So please Aruba team, push this request to the responsibles who could trigger a feature request to your developers. 4. RE: Radius Server Assigned Vlans.
Under VLANs, select Dynamic under Client VLAN Assignment. Click + Add Rule to create a VLAN assignment rule. The New VLAN Assignment Rule pop-up window is displayed. In the New VLAN Assignment Rule window, you can define a match method by which the string in Operand is matched with the attribute values returned by the authentication server.
If anyone has any of this brands setup to dynamic vlan assignment, your input is very much appreciated. Reply reply More replies. cdb0788 • I'm doing this using Aruba IAP's, Aruba switches, and ClearPass. My edge switches are 2930's and my chassis' are 5412's. Also starting to roll out downloadable user roles (DUR) on the AP's. Reply reply ...
This Profile should move the user in the specific VLAN. I mapped this profile to a Policy and mapped this also to a Service. Now my problem appears. The User connects to the SSID wich is provided by a Aruba Controller 7024. ClearPass said "user authentication successfull" and mapped profile = ergo-VLAN_130.
Click Submit. Click Pending Changes. In the Pending Changes window, select the check box and click Deploy changes. In this example, a PPoE service name, username, and password are assigned, and the interface VLAN 14 has an uplink priority of 3: (host) [mynode] (config) # interface vlan 14. ip address pppoe.
1. 802.1X Authentication and Dynamic VLAN Assignment with Aruba 1960 switch. I'm testing with Radius authentication (NPS server + AD) and dynamic VLAN assignment for a wired network. User authentication has so far failed. on my client machine. I double-checked, and the user credentials are correct.
I deployed Aruba IAP-215s in a 16 unit apartment building to provide internet for all tenants. I would like each apartment unit to be isolated into their own VLAN without creating 16 seperate SSIDs. ... My thought was to use guest accounts in internal server and captive portal that would assign VLANS based on Dynamic VLAN assignment rules ...
Vendor Specific Attributes (VSA) When an external RADIUS server is used, the user VLAN can be derived from the Aruba-User-Vlan VSA. The VSA is then carried in an Access-Accept packet from the RADIUS server. The IAP can analyze the return message and derive the value of the VLAN which it assigns to the user.. Figure 1 RADIUS Access-Accept packets with VSA
Hi Friend, Adding to the reply by Victor here are steps to configure the RAS policy for dynamic VLAN assignment. Select New policy and give a name ( DemoPolicy) Select Wireless : Select the user group to map this policy (Manager is a group) Select Grant RAS and click on Edit profile. Select Advanced Tab and select Add.
Configuring VLAN Assignment Rule. To configure VLAN assignment rules for an SSID profile: In the Aruba Central On-Premises app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. Click the Config icon.
Select Dynamic in Client VLAN Assignment to specify a VLAN ID. To create a VLAN assignment rule, click + Add Rule under VLAN Assignment Rules. The New VLAN Assignment Rule window is displayed. Attribute —Select an attribute from the drop-down list. Operator —Select either equals or not-equals from the drop-down list, depending on your criteria.