Wireless Access

I'm piloting a small device group with AOS 10.4.11_94853 and the New Central interface...  I've created a role and set its VLAN ID, but it I keep getting dropped into the WLAN Profile's "Default VLAN" instead of the VLAN assigned to my role.

The only way I can get it to drop users into the appropriate VLAN is to use the WLAN Profile's "VLAN Assignment Rules"

Am I missing something?  I thought Role-Based VLAN assignment was the preferred method in AOS 10?

Thank you!

well the authentication server should tell the AP to use the user role based on the policy. So in your case are you authenticating users on the WLAN?

Generally the user connects to dot1x WLAN and the RADIUS server will send accept and Aruba-user-role VSA matching with the configured user-role.

I'm piloting a small device group with AOS 10.4.11_94853 and the New Central interface...  I've created a role and set its VLAN ID, but it I keep getting dropped into the WLAN Profile's "Default VLAN" instead of the VLAN assigned to my role.

The only way I can get it to drop users into the appropriate VLAN is to use the WLAN Profile's "VLAN Assignment Rules"

Am I missing something?  I thought Role-Based VLAN assignment was the preferred method in AOS 10?

Thank you!

I have 2 separate WLAN profiles:  One using Central NAC with an Entra backed Identity Store, and the other is MPSK-AES with Central NAC... Neither one is dropping users into the desired VLAN.

Am I correct to assume that I should just stick to Dynamic VLAN rules on the WLAN profile?

Thank you!

well the authentication server should tell the AP to use the user role based on the policy. So in your case are you authenticating users on the WLAN?

Generally the user connects to dot1x WLAN and the RADIUS server will send accept and Aruba-user-role VSA matching with the configured user-role.

I'm piloting a small device group with AOS 10.4.11_94853 and the New Central interface...  I've created a role and set its VLAN ID, but it I keep getting dropped into the WLAN Profile's "Default VLAN" instead of the VLAN assigned to my role.

The only way I can get it to drop users into the appropriate VLAN is to use the WLAN Profile's "VLAN Assignment Rules"

Am I missing something?  I thought Role-Based VLAN assignment was the preferred method in AOS 10?

Thank you!

for this to work, you need to configure user roles with assigned VLANs. If you have this in place then you need to call it in from your Central NAC authz policies.

Overview of authentication and authorization policies in Central NAC

I have 2 separate WLAN profiles:  One using Central NAC with an Entra backed Identity Store, and the other is MPSK-AES with Central NAC... Neither one is dropping users into the desired VLAN.

Am I correct to assume that I should just stick to Dynamic VLAN rules on the WLAN profile?

Thank you!

well the authentication server should tell the AP to use the user role based on the policy. So in your case are you authenticating users on the WLAN?

Generally the user connects to dot1x WLAN and the RADIUS server will send accept and Aruba-user-role VSA matching with the configured user-role.

I'm piloting a small device group with AOS 10.4.11_94853 and the New Central interface...  I've created a role and set its VLAN ID, but it I keep getting dropped into the WLAN Profile's "Default VLAN" instead of the VLAN assigned to my role.

The only way I can get it to drop users into the appropriate VLAN is to use the WLAN Profile's "VLAN Assignment Rules"

Am I missing something?  I thought Role-Based VLAN assignment was the preferred method in AOS 10?

Thank you!

I have tried to assign the VLAN using a Central NAC Authorization Policy, but I do not have a "VLAN ID" attribute option like what is shown in the documentation you referenced...  The only option I get is "Session Timeout" as shown here:

for this to work, you need to configure user roles with assigned VLANs. If you have this in place then you need to call it in from your Central NAC authz policies.

Overview of authentication and authorization policies in Central NAC

I have 2 separate WLAN profiles:  One using Central NAC with an Entra backed Identity Store, and the other is MPSK-AES with Central NAC... Neither one is dropping users into the desired VLAN.

Am I correct to assume that I should just stick to Dynamic VLAN rules on the WLAN profile?

Thank you!

well the authentication server should tell the AP to use the user role based on the policy. So in your case are you authenticating users on the WLAN?

Generally the user connects to dot1x WLAN and the RADIUS server will send accept and Aruba-user-role VSA matching with the configured user-role.

I'm piloting a small device group with AOS 10.4.11_94853 and the New Central interface...  I've created a role and set its VLAN ID, but it I keep getting dropped into the WLAN Profile's "Default VLAN" instead of the VLAN assigned to my role.

The only way I can get it to drop users into the appropriate VLAN is to use the WLAN Profile's "VLAN Assignment Rules"

Am I missing something?  I thought Role-Based VLAN assignment was the preferred method in AOS 10?

Thank you!

I am not sure why you don't see VLAN id attribute in CNAC authz policies, But generally I use user-roles.

you can assign VLAN id in your roles too. see here my contractor role has VLAN id 12

I have tried to assign the VLAN using a Central NAC Authorization Policy, but I do not have a "VLAN ID" attribute option like what is shown in the documentation you referenced...  The only option I get is "Session Timeout" as shown here:

for this to work, you need to configure user roles with assigned VLANs. If you have this in place then you need to call it in from your Central NAC authz policies.

Overview of authentication and authorization policies in Central NAC

I have 2 separate WLAN profiles:  One using Central NAC with an Entra backed Identity Store, and the other is MPSK-AES with Central NAC... Neither one is dropping users into the desired VLAN.

Am I correct to assume that I should just stick to Dynamic VLAN rules on the WLAN profile?

Thank you!

well the authentication server should tell the AP to use the user role based on the policy. So in your case are you authenticating users on the WLAN?

Generally the user connects to dot1x WLAN and the RADIUS server will send accept and Aruba-user-role VSA matching with the configured user-role.

I'm piloting a small device group with AOS 10.4.11_94853 and the New Central interface...  I've created a role and set its VLAN ID, but it I keep getting dropped into the WLAN Profile's "Default VLAN" instead of the VLAN assigned to my role.

The only way I can get it to drop users into the appropriate VLAN is to use the WLAN Profile's "VLAN Assignment Rules"

Am I missing something?  I thought Role-Based VLAN assignment was the preferred method in AOS 10?

Thank you!

Using the VLAN ID from the User-Role would be my preferred method, but it is ignoring that setting and putting the users into the default VLAN of the WLAN profile instead...  I'm lost as to why that is taking precedence over the user-role.

Thank you! 

I am not sure why you don't see VLAN id attribute in CNAC authz policies, But generally I use user-roles.

you can assign VLAN id in your roles too. see here my contractor role has VLAN id 12

I have tried to assign the VLAN using a Central NAC Authorization Policy, but I do not have a "VLAN ID" attribute option like what is shown in the documentation you referenced...  The only option I get is "Session Timeout" as shown here:

for this to work, you need to configure user roles with assigned VLANs. If you have this in place then you need to call it in from your Central NAC authz policies.

Overview of authentication and authorization policies in Central NAC

I have 2 separate WLAN profiles:  One using Central NAC with an Entra backed Identity Store, and the other is MPSK-AES with Central NAC... Neither one is dropping users into the desired VLAN.

Am I correct to assume that I should just stick to Dynamic VLAN rules on the WLAN profile?

Thank you!

well the authentication server should tell the AP to use the user role based on the policy. So in your case are you authenticating users on the WLAN?

Generally the user connects to dot1x WLAN and the RADIUS server will send accept and Aruba-user-role VSA matching with the configured user-role.

I'm piloting a small device group with AOS 10.4.11_94853 and the New Central interface...  I've created a role and set its VLAN ID, but it I keep getting dropped into the WLAN Profile's "Default VLAN" instead of the VLAN assigned to my role.

The only way I can get it to drop users into the appropriate VLAN is to use the WLAN Profile's "VLAN Assignment Rules"

Am I missing something?  I thought Role-Based VLAN assignment was the preferred method in AOS 10?

Thank you!

Have you done all the configuration in New Central ? including the WLAN configuration?

Using the VLAN ID from the User-Role would be my preferred method, but it is ignoring that setting and putting the users into the default VLAN of the WLAN profile instead...  I'm lost as to why that is taking precedence over the user-role.

Thank you! 

I am not sure why you don't see VLAN id attribute in CNAC authz policies, But generally I use user-roles.

you can assign VLAN id in your roles too. see here my contractor role has VLAN id 12

I have tried to assign the VLAN using a Central NAC Authorization Policy, but I do not have a "VLAN ID" attribute option like what is shown in the documentation you referenced...  The only option I get is "Session Timeout" as shown here:

for this to work, you need to configure user roles with assigned VLANs. If you have this in place then you need to call it in from your Central NAC authz policies.

Overview of authentication and authorization policies in Central NAC

I have 2 separate WLAN profiles:  One using Central NAC with an Entra backed Identity Store, and the other is MPSK-AES with Central NAC... Neither one is dropping users into the desired VLAN.

Am I correct to assume that I should just stick to Dynamic VLAN rules on the WLAN profile?

Thank you!

well the authentication server should tell the AP to use the user role based on the policy. So in your case are you authenticating users on the WLAN?

Generally the user connects to dot1x WLAN and the RADIUS server will send accept and Aruba-user-role VSA matching with the configured user-role.

I'm piloting a small device group with AOS 10.4.11_94853 and the New Central interface...  I've created a role and set its VLAN ID, but it I keep getting dropped into the WLAN Profile's "Default VLAN" instead of the VLAN assigned to my role.

The only way I can get it to drop users into the appropriate VLAN is to use the WLAN Profile's "VLAN Assignment Rules"

Am I missing something?  I thought Role-Based VLAN assignment was the preferred method in AOS 10?

Thank you!

Yes sir... Everything was done through New Central...  I followed along with this Aruba lab guide.  The only thing that differed was the roles themselves.  The guide mentions using some pre-built lab roles that obviously didn't exist in my system, so I created one at the Library level and then assigned it to "Campus Access Point" with a Global scope:

Have you done all the configuration in New Central ? including the WLAN configuration?

Using the VLAN ID from the User-Role would be my preferred method, but it is ignoring that setting and putting the users into the default VLAN of the WLAN profile instead...  I'm lost as to why that is taking precedence over the user-role.

Thank you! 

I am not sure why you don't see VLAN id attribute in CNAC authz policies, But generally I use user-roles.

you can assign VLAN id in your roles too. see here my contractor role has VLAN id 12

I have tried to assign the VLAN using a Central NAC Authorization Policy, but I do not have a "VLAN ID" attribute option like what is shown in the documentation you referenced...  The only option I get is "Session Timeout" as shown here:

for this to work, you need to configure user roles with assigned VLANs. If you have this in place then you need to call it in from your Central NAC authz policies.

Overview of authentication and authorization policies in Central NAC

I have 2 separate WLAN profiles:  One using Central NAC with an Entra backed Identity Store, and the other is MPSK-AES with Central NAC... Neither one is dropping users into the desired VLAN.

Am I correct to assume that I should just stick to Dynamic VLAN rules on the WLAN profile?

Thank you!

well the authentication server should tell the AP to use the user role based on the policy. So in your case are you authenticating users on the WLAN?

Generally the user connects to dot1x WLAN and the RADIUS server will send accept and Aruba-user-role VSA matching with the configured user-role.

I'm piloting a small device group with AOS 10.4.11_94853 and the New Central interface...  I've created a role and set its VLAN ID, but it I keep getting dropped into the WLAN Profile's "Default VLAN" instead of the VLAN assigned to my role.

The only way I can get it to drop users into the appropriate VLAN is to use the WLAN Profile's "VLAN Assignment Rules"

Am I missing something?  I thought Role-Based VLAN assignment was the preferred method in AOS 10?

Thank you!