Users Guide

Table Of Contents
93| Network Configuration Parameters Dell Networking W-Series ArubaOS 6.5.x| User Guide
!
(host)(config) #aaa server-group "THR-DOT1X-SERVER-GROUP-WPA2"
auth-server Internal
!
(host)(config) #aaa profile "THR-AAA-PROFILE-WPA2"
dot1x-default-role "THR-ROLE-NAME-WPA2"
dot1x-server-group "THR-DOT1X-SERVER-GROUP-WPA2"
!
(host)(config) #wlan ssid-profile "THR-SSID-PROFILE-WPA2"
essid "THR-WPA2"
opmode wpa2-aes
!
(host)(config) #wlan virtual-ap "THR-VIRTUAL-AP-PROFILE-WPA2"
ssid-profile "THR-SSID-PROFILE-WPA2"
aaa-profile "THR-AAA-PROFILE-WPA2"
vlan 60
!
(host)(config) #ap-group "THRHQ1-STANDARD"
virtual-ap "THR-VIRTUAL-AP-PROFILE-WPA2"
Understanding VLAN Assignments
A client is assigned to a VLAN by one of several methods, in order of precedence. The assignment of VLANs are
(from lowest to highest precedence):
1. The default VLAN is the VLAN configured for the WLAN (see Virtual AP Profiles on page 409).
2. Before client authentication, the VLAN can be derived from rules based on client attributes (SSID, BSSID,
client MAC, location, and encryption type). A rule that derives a specific VLAN takes precedence over a rule
that derives a user role that may have a VLAN configured for it.
3. After client authentication, the VLAN can be configured for a default role for an authentication method,
such as 802.1X or VPN.
4. After client authentication, the VLAN can be derived from attributes returned by the authentication server
(server-derived rule). A rule that derives a specific VLAN takes precedence over a rule that derives a user role
that may have a VLAN configured for it.
5. After client authentication, the VLAN can be derived from Microsoft Tunnel attributes (Tunnel-Type, Tunnel
Medium Type, and Tunnel Private Group ID). All three attributes must be present as shown below. This does
not require a server-derived rule. For example:
Tunnel-Type="VLAN"(13)
Tunnel-Medium-Type="IEEE-802" (6)
Tunnel-Private-Group-Id="101"
6. After client authentication, the VLAN can be derived from Vendor Specific Attributes (VSA) for RADIUS
server authentication. This does not require a server-derived rule. If a VSA is present, it overrides any
previous VLAN assignment. For example:
Dell-User-VLAN
Dell-Named-User-VLAN
VLAN Derivation Priorities for VLAN types
The VLAN derivation priorities for VLAN is defined below in the increasing order:
1. Default or Virtual AP VLAN
2. VLAN from Initial role
3. VLAN from User Derivation Rule (UDR) role
4. VLAN from UDR
5. VLAN from DHCP option 77 UDR role (wired clients)