Wireless Access

 View Only

  • 1.  VLAN ID change based on attributes

    Posted Nov 09, 2025 01:55 PM

    Hello community,

    I'm wanting to ask if this is something is even possible to do. We have a few clusters in a MC/MD Running 8.10 LSR, I have a need to either grow a subnet or create a new one. In the past, we've created a VLAN name and added a couple of IDs in that name, so it balances between the IDs to get the on the network. What I'm trying to accomplish is something similar, we use ISE for radius auth, what I'm hoping is use the same ESSID, but would like to have a rule that specifically puts it in one of the VLAN IDs based on attributes. Be it Certificate, MAC OUI or anything that I can find that's the same. Is this something I can do within the MC/MD? I have no control on the radius side, what we do is VLAN shift based on the response we have from ISE. I'm trying to keep the same response (Ex. ID 150) to stay the same, but have that VLAN name have 2 IDs and based on attributes of the endpoint, move it to the specific subnet I need it to.

    Hopefully what I've described makes sense.
    Thanks everyone.



    -------------------------------------------


  • 2.  RE: VLAN ID change based on attributes

    Posted Nov 10, 2025 02:44 AM

    You can use server derivation rules for VLAN or Aruba user role assignment, here is the link to Aruba Online Help

    The rules are set up in the Auth Server group, there you can evaluate the calling-station-ID, for example.

    Usually, we do the opposite: we define a set of rules in the Radius server, based on which it sends a corresponding VLAN or Aruba-User-Role as Radius attributes to the controller.



    ------------------------------
    Regards,

    Waldemar
    ACCX # 1377, ACEP, ACX - Network Security
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 3.  RE: VLAN ID change based on attributes

    Posted Nov 10, 2025 06:43 AM
    Edited by xRekiDoux Nov 10, 2025 06:43 AM

    Thanks for the information. I do plan on speaking with the ISE admins to see if we can just make a response that'll be unique to these devices and I just take it on our controllers, we currently achieve this through Aruba-Named-User-Vlan. But if we get some push-back, and the scoping of the current subnet is looking almost impossible, I wanted to check alternatives.
    I appreciate the information, I would more than likely use the calling-station-id... if internally we're unable to get ISE admin to create a new rule.

    -------------------------------------------

    Original Message


Related Content