Dynamic Vlan Assignment with Aruba Clearpass

Abertay

Hi,

Has anyone managed to get dynamic vlan assignment working with cloud WiFi and Radius (Clearpass in this case). If i setup the site to use SSID assigned VLANS they all work individually, but if i set it to assign VLAN dynamically it just sets it to untagged and no IP is assigned.
I've configured clearpass to send IETF type 81 and the VLAN to the various ones available, but it seems to be ignoring it.
Are there any other values i need to be sending back?

RADIUS Response
Radius:IETF:Filter-Id Test
Radius:IETF:Tunnel-Private-Group-Id 50

thanks

james.carson

Hi @Abertay

The only RADIUS server I've specifically configured for this is NPS.

If you take a look at the bottom of the article here:
https://techsearch.watchguard.com/KB/WGKnowledgeBase?SFDCID=kA22A000000HQJ7SAO&type=KBArticle

this shows what the access-accept must look like in order for that feature to work. If your RADIUS server isn't providing the highlighted data in that screenshot, dynamic VLANs won't work.
You didn't include the AVP (attribute value pairs) - those must be the correct value or they will be ignored.

If you're not getting anywhere with that and/or you've verified they're correct, I'd suggest opening a support case.

Abertay

Thanks James, I've got all those options enabled now, but no luck. Have raised a case with support.
Radius:IETF:Framed-Protocol 1
Radius:IETF:Service-Type 2
Radius:IETF:Tunnel-Medium-Type 6
Radius:IETF:Tunnel-Private-Group-Id 50
Radius:IETF:Tunnel-Type 13

Abertay

Hi, I've found a solution which might help anyone configuring WG AP's and Clearpass in the future. You need to send the following attributes to the WG AP :

Radius:Avenda:Avenda-Tag-Id 0
Radius:IETF:Framed-Protocol 1
Radius:IETF:Service-Type 2
Radius:IETF:Tunnel-Medium-Type 6
Radius:IETF:Tunnel-Private-Group-Id 60 (whatever your vlan is)
Radius:IETF:Tunnel-Type 13