在做RADIUS驗證時,Aruba有專屬的RADIUS VSA (Vendor-Specific Attribute)。RADIUS Server在回傳時,只要帶入對應的屬性與值,就能讓ArubaOS8,也就是Controller會去依照此屬性跟值去影響該Client的配置。
由於自己找不到筆記,於是決定重寫一篇。
如何取得ArubaOS8的VSA?
連線至Controller輸入以下指令,可以得到Aruba RADIUS VSA對照表。
show aaa radius-attributes以下爲輸出。※版本爲8.10.0.13
Dictionary
----------
Attribute Value Type Vendor Id
--------- ----- ---- ------ --
MS-CHAP-NT-Enc-PW 6 String Microsoft 311
Acct-Output-Packets 48 Integer
WISPr-Session-Term-End-Of-Day 10 Integer WISPr 14122
Aruba-Mdps-Device-Version 21 String Aruba 14823
Aruba-Mdps-Max-Devices 18 Integer Aruba 14823
Location-Information 127 String
WISPr-Redirection-URL 4 String WISPr 14122
Acct-Session-Time 46 Integer
Framed-AppleTalk-Zone 39 String
RTTS-Reest-Below-Throughput 5 Integer RTTS 10923
Requested-Location-Info 132 Integer
Framed-Interface-Id 96 IF ID
Connect-Info 77 String
Aruba-Location-Id 6 String Aruba 14823
Service-Type 6 Integer
Nomadix-Group-Max-Up 20 Integer Nomadix 3309
CHAP-Password 3 String
WISPr-Bandwidth-Min-Down 6 Integer WISPr 14122
Aruba-Template-User 8 String Aruba 14823
Aruba-No-DHCP-Fingerprint 14 Integer Aruba 14823
Location-Capable 131 Integer
Event-Timestamp 55 Date
Login-Service 15 Integer
Aruba-AirGroup-Device-Type 27 Integer Aruba 14823
Tunnel-Password 69 String
Proxy-State 33 String
Framed-IP-Netmask 9 IP Addr
Aruba-Mdps-Device-Profile 33 String Aruba 14823
Cisco-AVPair 1 String Cisco 9
WLAN-Pairwise-Cipher 186 Integer
WLAN-Reason-Code 185 Integer
Acct-Output-Gigawords 53 Integer
Aruba-Port-Bounce-Host 40 Integer Aruba 14823
Aruba-Mdps-Device-Udid 15 String Aruba 14823
Aruba-AirGroup-Shared-User 25 String Aruba 14823
MS-CHAP-CPW-2 4 String Microsoft 311
Acct-Tunnel-Packets-Lost 86 Integer
Tunnel-Connection-Id 68 String
Session-Timeout 27 Integer
MS-CHAP-Domain 10 String Microsoft 311
MS-CHAP-LM-Enc-PW 5 String Microsoft 311
ARAP-Password 70 String
Acct-Interim-Interval 85 Integer
CHAP-Challenge 60 String
NAS-IP-Address 4 IP Addr
Aruba-Mdps-Device-Serial 22 String Aruba 14823
ARAP-Security-Data 74 String
Called-Station-Id 30 String
Idle-Timeout 28 Integer
Nomadix-Group-Bw-Policy-ID 19 Integer Nomadix 3309
Framed-Route 22 String
Aruba-Captive-Portal-URL 43 String Aruba 14823
Aruba-AirGroup-Shared-Group 35 String Aruba 14823
Aruba-AP-IP-Address 34 IP Addr Aruba 14823
Aruba-Auth-Survivability 28 String Aruba 14823
Expiration 21 Date
Acct-Terminate-Cause 49 Integer
Aruba-User-Role 1 String Aruba 14823
Framed-IP-Address 8 IP Addr
RTTS-Estimated-Throughput 1 Integer RTTS 10923
Framed-Routing 10 Integer
Aruba-Auth-SurvMethod 39 Integer Aruba 14823
Huntgroup-Name 221 String
Tunnel-Medium-Type 65 Integer
Aruba-Admin-Path 42 String Aruba 14823
Aruba-Network-SSO-Token 37 String Aruba 14823
Aruba-Port-Id 7 String Aruba 14823
Aruba-Priv-Admin-User 3 Integer Aruba 14823
ARAP-Features 71 String
Callback-Id 20 String
Aruba-Mdps-Device-Product 20 String Aruba 14823
MS-BAP-Usage 13 String Microsoft 311
Aruba-User-Group 36 String Aruba 14823
Aruba-WorkSpace-App-Name 31 String Aruba 14823
Tunnel-Assignment-Id 82 String
Class 25 String
MS-CHAP-Error 2 String Microsoft 311
Acct-Status-Type 40 Integer
Framed-Protocol 7 Integer
MS-Link-Utilization-Threshold 14 String Microsoft 311
Digest-Response 206 String
Acct-Output-Octets 43 Integer
WISPr-Location-Name 2 String WISPr 14122
Aruba-AS-Credential-Hash 30 String Aruba 14823
Port-Limit 62 Integer
Acct-Delay-Time 41 Integer
Aruba-User-Vlan 2 Integer Aruba 14823
MS-MPPE-Recv-Key 17 String Microsoft 311
ARAP-Zone-Access 72 Integer
Acct-Authentic 45 Integer
Aruba-AirGroup-Version 38 Integer Aruba 14823
MS-CHAP-Response 1 String Microsoft 311
Operator-Name 126 String
WISPr-Session-Term-Time 9 String WISPr 14122
MS-CHAP-CPW-1 3 String Microsoft 311
Login-IPv6-Host 98 IPv6 Addr
State 24 String
User-Name 1 String
Acct-Session-Id 44 String
Callback-Number 19 String
Aruba-AirGroup-Shared-Role 26 String Aruba 14823
Aruba-Device-Type 12 String Aruba 14823
MS-MPPE-Encryption-Policy 7 String Microsoft 311
Framed-Compression 13 Integer
WLAN-Group-Cipher 187 Integer
Framed-IPv6-address 168 IPv6 Addr
Message-Auth 80 String
NAS-Identifier 32 String
Aruba-Mdps-Device-Imei 16 String Aruba 14823
Nomadix-Group-Max-Down 21 Integer Nomadix 3309
MS-CHAP-MPPE-Keys 12 String Microsoft 311
Tunnel-Server-Auth-Id 91 String
Tunnel-Type 64 Integer
Aruba-Essid-Name 5 String Aruba 14823
Tunnel-Server-Endpoint 67 String
Login-LAT-Port 63 String
WISPr-Billing-Class-Of-Service 11 Integer WISPr 14122
MS-CHAP-Challenge 11 String Microsoft 311
Aruba-AP-Group 10 String Aruba 14823
Acct-Input-Packets 47 Integer
WISPr-Logoff-URL 3 String WISPr 14122
Aruba-AS-User-Name 29 String Aruba 14823
Aruba-CPPM-Role 23 String Aruba 14823
Aruba-Mdps-Device-Name 19 String Aruba 14823
Error-Cause 101 Integer
Framed-IPv6-Route 99 String
ARAP-Security 73 Integer
Acct-Input-Octets 42 Integer
MS-RAS-Version 18 String Microsoft 311
MS-MPPE-Send-Key 16 String Microsoft 311
WLAN-AKM-Suite 188 Integer
Aruba-Calea-Server-Ip 41 IP Addr Aruba 14823
Login-LAT-Group 36 String
Termination-Action 29 Integer
Framed-MTU 12 Integer
Password-Retry 75 Integer
Calling-Station-Id 31 String
RTTS-Earlylift-Threshold 7 Integer RTTS 10923
Acct-Input-Gigawords 52 Integer
Framed-AppleTalk-Network 38 Integer
Login-LAT-Service 34 String
WISPr-Bandwidth-Max-Down 8 Integer WISPr 14122
Aruba-Mdps-Provisioning-Settings 32 String Aruba 14823
MS-RAS-Vendor 9 String Microsoft 311
Acct-Link-Count 51 Integer
MS-CHAP2-Success 26 String Microsoft 311
MS-Filter 22 String Microsoft 311
Tunnel-Client-Auth-Id 90 String
NAS-Port-Type 61 Integer
Login-IP-Host 14 IP Addr
Aruba-AirGroup-User-Name 24 String Aruba 14823
Aruba-Mdps-Device-Iccid 17 String Aruba 14823
Aruba-Framed-IPv6-Address 11 String Aruba 14823
RTTS-Reest-Keepalive-Num 6 Integer RTTS 10923
WISPr-Bandwidth-Min-Up 5 Integer WISPr 14122
Framed-IPv6-Pool 100 String
Aruba-Named-User-Vlan 9 String Aruba 14823
Aruba-MPSK-Passphrase 44 String Aruba 14823
Location-Data 128 String
WLAN-Group-Mgmt-Cipher 189 Integer
Acct-Multi-Session-Id 50 String
Login-LAT-Node 35 String
NAS-Port-Id 5 Integer
Aruba-Admin-Role 4 String Aruba 14823
Prompt 76 Integer
Framed-AppleTalk-Link 37 Integer
RTTS-Reestimation-Period 4 Integer RTTS 10923
WISPr-Location-ID 1 String WISPr 14122
MS-CHAP2-CPW 27 String Microsoft 311
Filter-Id 11 String
MS-CHAP2-Response 25 String Microsoft 311
EAP-Message 79 String
RTTS-Backoff-Time 3 Integer RTTS 10923
MS-Link-Drop-Time-Limit 15 String Microsoft 311
Framed-IPv6-Prefix 97 IPv6 Prefix
Tunnel-Private-Group-Id 81 String
Tunnel-Client-Endpoint 66 String
Framed-IPX-Network 23 IP Addr
WISPr-Bandwidth-Max-Up 7 Integer WISPr 14122
MS-MPPE-Encryption-Types 8 String Microsoft 311
NAS-IPv6-Address 95 IPv6 Addr
Chargeable-User-Identity 89 String
Reply-Message 18 String
Password 2 String
RTTS-Result 2 Integer RTTS 10923
Tunnel-Preference 83 Integer
Vendor-Specific 26 String
Login-TCP-Port 16 IntegerArubaOS 8常用的VSA
- Aruba-User-Role: 用於設定User Role,控制Client的存取權限。
- Aruba-User-VLAN: 用於設定User VLAN,也影響Client的網段。
Dictionary
----------
Attribute Value Type Vendor Id
--------- ----- ---- ------ --
Aruba-User-Role 1 String Aruba 14823
Aruba-User-Vlan 2 Integer Aruba 14823Windows Server NPS 上配置 Aruba VSA
Aruba-User-Role與Aruba-User-Vlan回傳值在Controller上無需特別設定即可生效,只要Radius Server有回傳,Controller就會套用該值。當然,在Controller上也需要預先設定該UserRole與該VLAN。
如果我們想把符合特定條件的使用者,指派UserRole「ArubaVSA_UserRole」以及VLAN「1723」,以下是在NPS上的操作。
在對應的網路原則 > 內容 > 設定 > 廠商特定 > 新增 > 廠商「自定」 > Verdor Specife > 新增。
先設定Aruba-User-Role部分,對照Aruba VSA,輸入廠商代碼「14823」,勾選「是,符合」,點選「設定屬性」,輸入廠商指定的屬性號碼「1」,屬性格式選擇「字段」,屬性值輸入「ArubaVSA_UserRole」,最後按下確定與確定以新增該屬性。
再來設定「Aruba-User-Vlan」,對照Aruba VSA,輸入廠商代碼「14823」,勾選「是,符合」,點選「設定屬性」,輸入廠商指定的屬性號碼「2」,屬性格式選擇「十進位」,屬性值輸入「1723」,最後按下確定與確定以新增該屬性。
這邊在NPS上的設定完成。
測試Wi-Fi的預設VLAN「30」,預設Role爲「authenticated」。如果NPS設定生效,Client將不會套用預設VLAN跟Role。
Server Group也無任何Server Rules設定。
筆電連上測試Wi-Fi後,上Aruba Controller WebUI查看,該使用者拿到在NPS針對VSA設定的回傳值,並且順利設定對應的Role與VLAN。
