Users Guide

ManualsBrandsDell ManualsAccess PlatformsW-3200

171

172

173

174

175

176

177

178

179

180

2. Before client authentication, the VLAN can be derived from rules based on client attributes (SSID, BSSID,

client MAC, location, and encryption type). A rule that derives a specific VLAN takes precedence over a rule

that derives a user role that may have a VLAN configured for it.

3. After client authentication, the VLAN can be configured for a default role for an authentication method,

such as 802.1x or VPN.

4. After client authentication, the VLAN can be derived from attributes returned by the authentication server

(server-derived rule). A rule that derives a specific VLAN takes precedence over a rule that derives a user role

that may have a VLAN configured for it.

5. After client authentication, the VLAN can be derived from Microsoft Tunnel attributes (Tunnel-Type, Tunnel

Medium Type, and Tunnel Private Group ID). All three attributes must be present as shown below. This does

not require a server-derived rule. For example:

Tunnel-Type="VLAN"(13)

Tunnel-Medium-Type="IEEE-802" (6)

Tunnel-Private-Group-Id="101"

6. After client authentication, the VLAN can be derived from Vendor Specific Attributes (VSA) for RADIUS

server authentication. This does not require a server-derived rule. If a VSA is present, it overrides any

previous VLAN assignment. For example:

Dell-User-VLAN

Dell-Named-User-VLAN

VLAN Derivation Priorities for VLAN types

The VLAN derivation priorities for VLAN is defined below in the increasing order:

1. Default or Virtual AP VLAN

2. VLAN from Initial role

3. VLAN from User Derivation Rule (UDR) role

4. VLAN from UDR

5. VLAN from DHCP option 77 UDR role (wired clients)

6. VLAN from DHCP option 77 UDR (wired clients)

7. VLAN from MAC-based Authentication default role

8. VLAN from Server Derivation Rule (SDR) role during MAC-based Authentication

9. VLAN from SDR during MAC-based Authentication

10.VLAN from Vendor Specific Attributes (VSA) role during MAC-based Authentication

11.VLAN from VSA during MAC-based Authentication

12.VLAN from Microsoft Tunnel attributes during MAC-based Authentication

13.VLAN from 802.1X default role

14.VLAN from SDR role during 802.1X

15.VLAN from SDR during 802.1X

16.VLAN from VSA role during 802.1X

17.VLAN from VSA during 802.1X

18.VLAN from Microsoft Tunnel attributes during 802.1X

19.VLAN from DHCP options role

20.VLAN from DHCP options

A VLAN from DHCP options has highest priority for VLAN derivation. Note, however, that DHCP options are not

considered for derivation if the Aruba VSA ARUBA_NO_DHCP_FINGERPRINT (14) was sent for the user.

Dell Networking W-Series ArubaOS 6.4.x | User Guide Network Configuration Parameters | 172