Instant On - Wired

Hello,

does anyone got expertise with Aruba 1930 Switch and dynamic vlans via Radius Server?

yesterday i found this one year old post about radius server assigned vlans in the wireless discussion. Radius Server Assigned Vlans
last post was "...currently doesn't support dynamic VLANs..." 

But in the Aruba Instant On 1930 Switch Series Management and Configuration Guide (Date june2020) describe the possibility to assign dynamic vlans. 
I already configured my Radius Server (Aruba clearpass) and establish a connection with the switch. So i can see the request on the clearpass and the rules (different VLANs for different MAC-Addresses) are working. Also the Client shows up in "Access Control Client Information" in the switch, but without any VLAN ID.

So my concrete question, which Attribute must be send to the switch so it will put the Port in the expected VLAN? 

------------------------------
best regards,
Carsten Endrulat
------------------------------

Hello,

i'm facing the same problem. The mac-based authentication is working with my (freeradius) server, but all the known attributes for VLAN assignment (tried multiple combinations): 

Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-Id = 100,
Aruba-User-VLAN =100,
Egress-VLANID += `%{expr: 0x31000000 + 451}`

keep getting ignored by the Aruba 1930 switch with newest firmware. The Access Control Client Information shows all the information, but the VLANID is empty.

We have bought multiple switches of this series exclusively, because this feature is supported..

Has anyone had success setting up vlans via radius with the 1930?

Regards
Thomas

------------------------------
Thomas Augustin
------------------------------

Original Message:
Sent: 12-09-2020 02:52 AM
From: Carsten Endrulat
Subject: Radius server dynamic assigned vlans

Hello,

does anyone got expertise with Aruba 1930 Switch and dynamic vlans via Radius Server?

yesterday i found this one year old post about radius server assigned vlans in the wireless discussion. Radius Server Assigned Vlans
last post was "...currently doesn't support dynamic VLANs..." 

But in the Aruba Instant On 1930 Switch Series Management and Configuration Guide (Date june2020) describe the possibility to assign dynamic vlans. 
I already configured my Radius Server (Aruba clearpass) and establish a connection with the switch. So i can see the request on the clearpass and the rules (different VLANs for different MAC-Addresses) are working. Also the Client shows up in "Access Control Client Information" in the switch, but without any VLAN ID.

So my concrete question, which Attribute must be send to the switch so it will put the Port in the expected VLAN? 

------------------------------
best regards,
Carsten Endrulat
------------------------------

After some testing and changing server- and switch configs I got it working. I really don't know on which side the error was (maybe on both ;-)).
Here is my working config:

freeradius:

aabbccddeeff    Cleartext-Password := "aabbccddeeff"
                    Tunnel-Type = 13,
                    Tunnel-Medium-Type = 6,
                    Tunnel-Private-Group-ID = 100​

Aruba 1930:

Security
* RADIUS Configuration
** 802.1x Authentication: enabled

* Port Access Control
** Admin Mode: enabled
** MAC Athentication Type: EAP-MD5

Port Configuration
* Control Mode: MAC Based
* VLAN Assignment: enabled
* MAC Authentication: enabled

Some problems still remain, so after assigning a VLAN the port membership overview shows two untagged(!) VLANS on the port - the default 1 and the assigned, e.g. 100. I still have to test if this is a possible security risk or only a display error.

Regards
Thomas


------------------------------
Thomas
------------------------------

Original Message:
Sent: 07-16-2021 08:14 AM
From: Thomas Augustin
Subject: Radius server dynamic assigned vlans

Hello,

i'm facing the same problem. The mac-based authentication is working with my (freeradius) server, but all the known attributes for VLAN assignment (tried multiple combinations): 

Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-Id = 100,
Aruba-User-VLAN =100,
Egress-VLANID += `%{expr: 0x31000000 + 451}`

keep getting ignored by the Aruba 1930 switch with newest firmware. The Access Control Client Information shows all the information, but the VLANID is empty.

We have bought multiple switches of this series exclusively, because this feature is supported..

Has anyone had success setting up vlans via radius with the 1930?

Regards
Thomas

------------------------------
Thomas Augustin

Original Message:
Sent: 12-09-2020 02:52 AM
From: Carsten Endrulat
Subject: Radius server dynamic assigned vlans

Hello,

does anyone got expertise with Aruba 1930 Switch and dynamic vlans via Radius Server?

yesterday i found this one year old post about radius server assigned vlans in the wireless discussion. Radius Server Assigned Vlans
last post was "...currently doesn't support dynamic VLANs..." 

But in the Aruba Instant On 1930 Switch Series Management and Configuration Guide (Date june2020) describe the possibility to assign dynamic vlans. 
I already configured my Radius Server (Aruba clearpass) and establish a connection with the switch. So i can see the request on the clearpass and the rules (different VLANs for different MAC-Addresses) are working. Also the Client shows up in "Access Control Client Information" in the switch, but without any VLAN ID.

So my concrete question, which Attribute must be send to the switch so it will put the Port in the expected VLAN? 

------------------------------
best regards,
Carsten Endrulat
------------------------------