dynamic vlan assigment based on the AD user groups

  • 1
  • Question
  • Updated 5 years ago
  • Answered
I would like my users to be connected in a specific vlan based on the ssid they are connected but it doesn't work.
For instance, in AD, I have user1 that belongs to groups ADvlan7, ADvlan8 and ADvlan9. I would like user1 to access the network vlan7 if he connects to ssid Wifi7, to access the network vlan8 if he connects to ssid Wifi8... Theses vlans aren't routed.
In hivemanager, I have manually map LDAP user groups to user profiles UserProfile7,UserProfile8 and UserProfile9.
Next in the network policy, I have created 3 SSIDs Wifi7, Wifi8 and Wifi9.
For each ssid, the default is mapped to "default-profile" and the Authentication to the respective User Profile (Wifi7 -> UserProfile7, Wifi8 -> UserProfile8 ...).
I saved and uploaded the configuration on the APs but it doesn't work.
When I connect to Wifi8, I get an IP of the network Wifi7 and I am in the vlan7.

I don't understand why it doesn't work. Do you have any suggestion to make it work.

Thank you
Photo of erwan

erwan

  • 4 Posts
  • 0 Reply Likes

Posted 5 years ago

  • 1
Photo of Mike Kouri

Mike Kouri, Official Rep

  • 1030 Posts
  • 271 Reply Likes
Have you looked thru the other thread here that has similar title to your thread? http://community.aerohive.com/aerohiv...

Crowdie did what I consider an excellent job describing the steps and concerns in setting this up.
Photo of erwan

erwan

  • 4 Posts
  • 0 Reply Likes
Thank you for your answer.

I did read this thread but my issue is not the same.
I want one user who belongs to differents groups to have the possibilities to access differents vlans published on the same AP.
So, if we take the example of a university. I want to offer the possibility to a teacher that has a unique AD account to connect to either teacher vlan or student vlan. I guess that it is possible to do this creating 2 ssid and defining the correct policy. But I didn't succeed to make it work.
Is it really possible to do what I want?

In the thread you mention, we can read ""Therefore, a user who is assigned to the User Profile whose attribute is 50 would be assigned to a VLAN dependent on which city the user is in.""
What I would need is to "assigned to a VLAN dependent on which SSID the users connects on the same AP".

Thank you.
Photo of Mike Kouri

Mike Kouri, Official Rep

  • 1030 Posts
  • 271 Reply Likes
Hmm. Let me try parroting back what you want to accomplish, to ensure I understand you properly.

You want a users to be authenticated against your AD, but regardless of their AD attributes, they should be associated to a specific VLAN when they connect to a specific SSID?

Have I over-simplified the use-case?
Photo of Andrew Garcia

Andrew Garcia, Official Rep

  • 368 Posts
  • 120 Reply Likes
Can you share screens of your SSID, user profile, and local user groups?
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
What authentication type are you using on your SSIDs? 802.1x, Private PPK, PSK, etc.
Photo of Andrew Garcia

Andrew Garcia, Official Rep

  • 368 Posts
  • 120 Reply Likes
The more I think about this, I don't think what you are trying to do is going to work.

Think about it from the RADIUS servers's perspective. You have defined the following:
User1=userprofile7/attribute7
user1=userprofile8/attribute8
user1=userprofile9/attribute9

No matter what SSID you connect to, the RADIUS server is going to go down that list and find the first match based on the order you configured in the RADIUS server config, and return userprofile7/attribute 7.
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
Could you use the Called-Station-ID; which contains the MAC address and SSID that the wireless client is authenticating to?

There is an interesting thread on Microsoft TechNet re this - http://social.technet.microsoft.com/F....

Nick Lowe posts a large amount on RADIUS and RADIUS issues so he may be able to advise.
Photo of erwan

erwan

  • 4 Posts
  • 0 Reply Likes
I am using 802.1x as authentication for my SSID.

Mike, the use case you describe is correct but I don't know if it is feasible.

Andrew, I have done the same observation.

Crowdie, I understand your point and I think that could be a solution.
I am new with Aerohive. So I imagine that the operation to use "Called-Station-ID" attribute is :
In the hivemanager, in the "network policy configuration" / "Configure Interfaces & User Access", I have to select "Add/remove" in "User Profile" Column.
Clic on "Assign user profiles based on values returned in the following RADIUS attribute", and select Standard Attribute "30_Called-Station-Id".

I think that the mapping is done between the value of the Standard Attribute "30_Called-Station-Id" and the value "Attribute Number" of the User Profile. Is it right?

How does it work if the Standard Attribute "30_Called-Station-Id" is not a number (it should be something like this 00-17-df-34-82-80:RSC-Secure-Wireless)?
Photo of Mike Kouri

Mike Kouri, Official Rep

  • 1030 Posts
  • 271 Reply Likes
Erwan,
I think Crowdie is on the right path -- let the AD server accept or reject users based on the SSID they connect to. I think you and he are right that the Called-Station-ID should be the attribute you key off of, as that will let you know which SSID they are connecting to, so that you can reject students who attempt to connect to the teacher SSID. The Called-Station-ID attribute is a string not necessarily a number, so you should be able to match on it within your RADIUS server.
Photo of Sam

Sam

  • 120 Posts
  • 31 Reply Likes
The correct pattern for IAS/NPS (windoze radius servers) to limit users based on called-station-id is:

^[^:]+:SSID_NAME$
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
Sam, do you have a screenshot (or screenshots) of this configured?
Photo of Sam

Sam

  • 120 Posts
  • 31 Reply Likes
Yes I do. I will post when in front of a PC.
Photo of erwan

erwan

  • 4 Posts
  • 0 Reply Likes
Thank you for your answer.
The current setup I have done is a Radius server configured from the hivemanager and running in an AP.
I don't know if your suggestion is feasable with this setup (in this case I didn't found a documentation or the option in the hivemanager, so maybe it needs to be done on the comand line in the AP) or if I need to setup an external Radius server.

Thank you for your ansewers.
Photo of Sam

Sam

  • 120 Posts
  • 31 Reply Likes
This would be an external radius config with Windows Radius Server. Not Aerohive radius server.
Photo of Sam

Sam

  • 120 Posts
  • 31 Reply Likes
@Crowdie:

Students contains domain\students OR domains\teachers

The Teachers policy only contains domain\Teachers

What this means is a student can not auth to Teachers as they will fail the match, but can to Students. And a Teacher can auth to either because they match both.



And here is where you add the constraint: