Dave, If you use Aruba's user roles named the same as the Filter-Id, you can use one rule "Filter-ID value-of set role" to set the user role to the Filter-Id value. This is very useful if you are using many Filter-Id values.
Bruce Osborne Wireless Network Engineer IT Network Services (434) 592-4229 LIBERTY UNIVERSITY 40 Years of Training Champions for Christ: 1971-2011 -----Original Message----- From: Dave Barr [mailto:d...@cornell.edu] Sent: Thursday, July 07, 2011 2:51 PM Subject: Re: Proxim APs and 802.1X RADIUS VLAN assignment I can confirm your goal is achievable just don't know about your particular implementation; for us, the RADIUS server is programmed to send a different value for the RADIUS attribute "Filter-Id" based on the successful authentication from various proxies. With this information provided to the controller, the vLAN is set to a particular value. This is the working bit of configuration in the aaa server-group on the controller... set vlan condition Filter-Id contains "eduroam-noncornell" set-value 1900 set vlan condition Filter-Id contains "eduroam-cornell" set-value 1901 ...that matches client to the vLAN with security premises expected for those clients. We utilize Aruba Networks for the Wi-Fi system and OSC Radiator for the RADIUS server. We have clients utilizing eduroam here from Cornell as well as other participating institutions and the reciprocal is working out as well. Hope this was helpful... Dave Barr *************************************************************************** Cornell Information Technologies http://www.cit.cornell.edu David Barr - Information Technology Specialist Email: d...@cornell.edu Phone: 607 255-4703 *************************************************************************** -----Original Message----- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jethro R Binks Sent: Thursday, July 07, 2011 11:48 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Proxim APs and 802.1X RADIUS VLAN assignment Hello all, I've been having problems using 802.1X authentication, or more specifically, assignment of VLANs based on the RADIUS attributes. Goal is to have one SSID, "eduroam", to which both visitors and local users authenticate when using the wireless service. Visitors remain in the VLAN to which the SSID is associated, and local users onsite are switched into a different VLAN based on attributes from the Radius server backend. In brief: I am running the latest v4.0.12 code (but had problems with previous versions too). I believe I have followed to the letter the Proxim knowledgebase article (which was updated a while ago ("VLAN Assignment by RADIUS"). I have tested with a variety of clients (Windows laptop, Windows mobile, Apple i-things). With no VLAN assignment (i.e., none of the Tunnel- attributes being sent by RADIUS), it usually works OK (sometimes with a couple of retries); but the local user remains in the "visitor" VLAN as expected. With the VLAN assignment enabled, it will usually NOT work. Once in a while you might get lucky and get connected to the right VLAN and get an address from DHCP, but it is very inconsistent and unreliable. As far as I can surmise, the problem is likeliest to lie with the AP. Since it does occasionally work, the basic infrastructure appears to be sound. So, I'm reaching out there to find if there are any other people doing something this with Proxim APs (AP4000 in particular), to see if you have seen these problems with other vendor or found a fix. Or, alternatively, maybe it isn't the AP, but something else you can suggest that might cause this inconsistent behaviour. Thanks for any thoughts, Jethro. . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks, Network Manager, Information Services Directorate, University Of Strathclyde, Glasgow, UK The University of Strathclyde is a charitable body, registered in Scotland, number SC015263. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
