Wireless Access

well the authentication server should tell the AP to use the user role based on the policy. So in your case are you authenticating users on the WLAN?

Generally the user connects to dot1x WLAN and the RADIUS server will send accept and Aruba-user-role VSA matching with the configured user-role.

I have 2 separate WLAN profiles:  One using Central NAC with an Entra backed Identity Store, and the other is MPSK-AES with Central NAC... Neither one is dropping users into the desired VLAN.

Am I correct to assume that I should just stick to Dynamic VLAN rules on the WLAN profile?

Thank you!

for this to work, you need to configure user roles with assigned VLANs. If you have this in place then you need to call it in from your Central NAC authz policies.

Overview of authentication and authorization policies in Central NAC

I have 2 separate WLAN profiles:  One using Central NAC with an Entra backed Identity Store, and the other is MPSK-AES with Central NAC... Neither one is dropping users into the desired VLAN.

Am I correct to assume that I should just stick to Dynamic VLAN rules on the WLAN profile?

Thank you!

well the authentication server should tell the AP to use the user role based on the policy. So in your case are you authenticating users on the WLAN?

Generally the user connects to dot1x WLAN and the RADIUS server will send accept and Aruba-user-role VSA matching with the configured user-role.

I have tried to assign the VLAN using a Central NAC Authorization Policy, but I do not have a "VLAN ID" attribute option like what is shown in the documentation you referenced...  The only option I get is "Session Timeout" as shown here:

for this to work, you need to configure user roles with assigned VLANs. If you have this in place then you need to call it in from your Central NAC authz policies.

Overview of authentication and authorization policies in Central NAC

I have 2 separate WLAN profiles:  One using Central NAC with an Entra backed Identity Store, and the other is MPSK-AES with Central NAC... Neither one is dropping users into the desired VLAN.

Am I correct to assume that I should just stick to Dynamic VLAN rules on the WLAN profile?

Thank you!

I am not sure why you don't see VLAN id attribute in CNAC authz policies, But generally I use user-roles.

you can assign VLAN id in your roles too. see here my contractor role has VLAN id 12

I have tried to assign the VLAN using a Central NAC Authorization Policy, but I do not have a "VLAN ID" attribute option like what is shown in the documentation you referenced...  The only option I get is "Session Timeout" as shown here:

for this to work, you need to configure user roles with assigned VLANs. If you have this in place then you need to call it in from your Central NAC authz policies.

Overview of authentication and authorization policies in Central NAC

I have 2 separate WLAN profiles:  One using Central NAC with an Entra backed Identity Store, and the other is MPSK-AES with Central NAC... Neither one is dropping users into the desired VLAN.

Am I correct to assume that I should just stick to Dynamic VLAN rules on the WLAN profile?

Thank you!

well the authentication server should tell the AP to use the user role based on the policy. So in your case are you authenticating users on the WLAN?

Generally the user connects to dot1x WLAN and the RADIUS server will send accept and Aruba-user-role VSA matching with the configured user-role.

Using the VLAN ID from the User-Role would be my preferred method, but it is ignoring that setting and putting the users into the default VLAN of the WLAN profile instead...  I'm lost as to why that is taking precedence over the user-role.

Thank you! 

I am not sure why you don't see VLAN id attribute in CNAC authz policies, But generally I use user-roles.

you can assign VLAN id in your roles too. see here my contractor role has VLAN id 12

I have tried to assign the VLAN using a Central NAC Authorization Policy, but I do not have a "VLAN ID" attribute option like what is shown in the documentation you referenced...  The only option I get is "Session Timeout" as shown here:

for this to work, you need to configure user roles with assigned VLANs. If you have this in place then you need to call it in from your Central NAC authz policies.

Overview of authentication and authorization policies in Central NAC

I have 2 separate WLAN profiles:  One using Central NAC with an Entra backed Identity Store, and the other is MPSK-AES with Central NAC... Neither one is dropping users into the desired VLAN.

Am I correct to assume that I should just stick to Dynamic VLAN rules on the WLAN profile?

Thank you!

Have you done all the configuration in New Central ? including the WLAN configuration?

Using the VLAN ID from the User-Role would be my preferred method, but it is ignoring that setting and putting the users into the default VLAN of the WLAN profile instead...  I'm lost as to why that is taking precedence over the user-role.

Thank you! 

I am not sure why you don't see VLAN id attribute in CNAC authz policies, But generally I use user-roles.

you can assign VLAN id in your roles too. see here my contractor role has VLAN id 12

I have tried to assign the VLAN using a Central NAC Authorization Policy, but I do not have a "VLAN ID" attribute option like what is shown in the documentation you referenced...  The only option I get is "Session Timeout" as shown here:

for this to work, you need to configure user roles with assigned VLANs. If you have this in place then you need to call it in from your Central NAC authz policies.

Overview of authentication and authorization policies in Central NAC

I have 2 separate WLAN profiles:  One using Central NAC with an Entra backed Identity Store, and the other is MPSK-AES with Central NAC... Neither one is dropping users into the desired VLAN.

Am I correct to assume that I should just stick to Dynamic VLAN rules on the WLAN profile?

Thank you!

well the authentication server should tell the AP to use the user role based on the policy. So in your case are you authenticating users on the WLAN?

Generally the user connects to dot1x WLAN and the RADIUS server will send accept and Aruba-user-role VSA matching with the configured user-role.

Yes sir... Everything was done through New Central...  I followed along with this Aruba lab guide.  The only thing that differed was the roles themselves.  The guide mentions using some pre-built lab roles that obviously didn't exist in my system, so I created one at the Library level and then assigned it to "Campus Access Point" with a Global scope:

Have you done all the configuration in New Central ? including the WLAN configuration?

Using the VLAN ID from the User-Role would be my preferred method, but it is ignoring that setting and putting the users into the default VLAN of the WLAN profile instead...  I'm lost as to why that is taking precedence over the user-role.

Thank you! 

I am not sure why you don't see VLAN id attribute in CNAC authz policies, But generally I use user-roles.

you can assign VLAN id in your roles too. see here my contractor role has VLAN id 12

I have tried to assign the VLAN using a Central NAC Authorization Policy, but I do not have a "VLAN ID" attribute option like what is shown in the documentation you referenced...  The only option I get is "Session Timeout" as shown here:

for this to work, you need to configure user roles with assigned VLANs. If you have this in place then you need to call it in from your Central NAC authz policies.

Overview of authentication and authorization policies in Central NAC

I have 2 separate WLAN profiles:  One using Central NAC with an Entra backed Identity Store, and the other is MPSK-AES with Central NAC... Neither one is dropping users into the desired VLAN.

Am I correct to assume that I should just stick to Dynamic VLAN rules on the WLAN profile?

Thank you!

Yes sir... Everything was done through New Central...  I followed along with this Aruba lab guide.  The only thing that differed was the roles themselves.  The guide mentions using some pre-built lab roles that obviously didn't exist in my system, so I created one at the Library level and then assigned it to "Campus Access Point" with a Global scope:

Have you done all the configuration in New Central ? including the WLAN configuration?

Using the VLAN ID from the User-Role would be my preferred method, but it is ignoring that setting and putting the users into the default VLAN of the WLAN profile instead...  I'm lost as to why that is taking precedence over the user-role.

Thank you! 

I am not sure why you don't see VLAN id attribute in CNAC authz policies, But generally I use user-roles.

you can assign VLAN id in your roles too. see here my contractor role has VLAN id 12

I have tried to assign the VLAN using a Central NAC Authorization Policy, but I do not have a "VLAN ID" attribute option like what is shown in the documentation you referenced...  The only option I get is "Session Timeout" as shown here:

for this to work, you need to configure user roles with assigned VLANs. If you have this in place then you need to call it in from your Central NAC authz policies.

Overview of authentication and authorization policies in Central NAC

I have 2 separate WLAN profiles:  One using Central NAC with an Entra backed Identity Store, and the other is MPSK-AES with Central NAC... Neither one is dropping users into the desired VLAN.

Am I correct to assume that I should just stick to Dynamic VLAN rules on the WLAN profile?

Thank you!

Roles have to be assigned to Global (for now). Also, roles have to have a Role Policy associated, which may be on Site Level (but Global also works).

In the screenshot, the Role-BYOD has no reference from a policy.

Roles that don't have an associated policy (that has to be assigned to the device function and site of the device) will not be propagated to an AP.

If Role-BYOD is not on your AP, add a policy for the Role-BYOD and check again.

Yes sir... Everything was done through New Central...  I followed along with this Aruba lab guide.  The only thing that differed was the roles themselves.  The guide mentions using some pre-built lab roles that obviously didn't exist in my system, so I created one at the Library level and then assigned it to "Campus Access Point" with a Global scope:

Have you done all the configuration in New Central ? including the WLAN configuration?

Using the VLAN ID from the User-Role would be my preferred method, but it is ignoring that setting and putting the users into the default VLAN of the WLAN profile instead...  I'm lost as to why that is taking precedence over the user-role.

Thank you! 

I am not sure why you don't see VLAN id attribute in CNAC authz policies, But generally I use user-roles.

you can assign VLAN id in your roles too. see here my contractor role has VLAN id 12

I have tried to assign the VLAN using a Central NAC Authorization Policy, but I do not have a "VLAN ID" attribute option like what is shown in the documentation you referenced...  The only option I get is "Session Timeout" as shown here:

for this to work, you need to configure user roles with assigned VLANs. If you have this in place then you need to call it in from your Central NAC authz policies.

Overview of authentication and authorization policies in Central NAC

I have 2 separate WLAN profiles:  One using Central NAC with an Entra backed Identity Store, and the other is MPSK-AES with Central NAC... Neither one is dropping users into the desired VLAN.

Am I correct to assume that I should just stick to Dynamic VLAN rules on the WLAN profile?

Thank you!

well the authentication server should tell the AP to use the user role based on the policy. So in your case are you authenticating users on the WLAN?

Generally the user connects to dot1x WLAN and the RADIUS server will send accept and Aruba-user-role VSA matching with the configured user-role.