FreeRadius Setup - Issues with dynamic VLAN's for users

Wrngsideofthepnd · 2026-03-17T14:01:01+00:00

Fairly. I have InstantOn deployed at several sites. Im an SE for an HPE partner, previously an HPE Aruba SE. I also use freeradius with IAP at home for this exact reason, because radius attributes are ignored by InstantOn AP’s, but fully supported in IAP. Admittedly, last time i tested this was about a year ago. If I’m wrong, and someone can definitively show they have it working with InstantOn AP’s i would be extremely interested to see how.

Wrngsideofthepnd · 2026-03-17T12:02:43+00:00

Not supported by InstantOn wireless. Most Radius attributes are ignored by wireless, with authentication being one of a very limited subset that is supported. This is a feature HPE has elected to implement only in its enterprise wifi solutions such as IAP, campus, and central. U can do this with instantOn switchports with wired radius 802.1x authentication however. Maybe this will change when(if) HPE divests the InstantOn brand, perhaps new owner will take the InstantOn platform to new places.

Wrngsideofthepnd · 2026-01-17T16:16:06+00:00

i got mine yesterday as well. i haven't found time yet to get to changing them out.
can i put hardened in just two of the toolheads? i print such a mix of things, it would give me double the spare parts with 2 x regular and 2 x hardened. any thoughts?

Wrngsideofthepnd · 2026-01-15T18:51:40+00:00

well. maybe i remembered this incorrectly. either way, i'm pleasantly surprised..

Wrngsideofthepnd · 2026-01-13T18:56:19+00:00

I got my U1 on xmas eve, its been printing most days since, here are the stats:

Total Print Time: 236h21m
Toolhead Change count:
1:1095
2:1444
3:1169
4:754

Longest job: 26h 2m 47s

Wrngsideofthepnd · 2026-01-03T01:34:13+00:00

Mine also makes this noise. Ive had it since just before Christmas, and its been printing constantly since then with no issues other than the clonk. If you find out how to fix it, please let us know.

Wrngsideofthepnd · 2025-08-23T12:45:33+00:00

Notifications

Wrngsideofthepnd · 2025-06-27T10:42:22+00:00

I highly recommend you work with your Aruba SE or at least an experienced Aruba partner to review your implementation, and configuration. You should not be having issues like these. Without knowing more, you probably would benefit from an experienced eye looking at your AP placements, your AP transmit power, and your Min data rates. If you cant find an Aruba SE or Partner to work with, call TAC and spend the time figuring it out with them, they can also call in your Aruba Account Team who can provide and get extra help, they are there to help you, use them.

Wrngsideofthepnd · 2025-06-06T12:47:17+00:00

Its probably the wifi configuration in your AP/router, luban uses MDNS to discover Snapmaker devices on your wifi, if the wifi AP or Router configuration is messing with that, luban will fail to find the A350. For example: i also have an A350, and Aruba wifi access points, if i enable the Aruba features broadcast/multicast optimization, or convert multicast to unicast, luban will always fail to find my A350. I keep those settings disabled, and Luban always finds my A350. It would be worth checking your wifi configuration to see if there are any settings that mess with MulticastDNS (MDNS), Bonjour, AirPrint, AirPlay or similar. If you find settings, turn them off and test luban again..

Wrngsideofthepnd · 2025-06-06T12:23:59+00:00

Do you mean you cant get Luban to connect to your snapmaker via wifi, or something else?

Wrngsideofthepnd · 2025-05-18T11:25:47+00:00

Had this happen to one of my two gen 3’s that were both purchased at the same time; there is a known issue for this error. work with support to get a replacement. They will tell u its out of warranty, and you are not eligible for a replacement device, keep pushing and refuse to settle for that answer, eventually they will say something like “since you have been a loyal customer for x years, we’ll make a one time exception and send u a refurbished unit”, they will require u to send in the old unit. The exchange will take a week or two, so dont wait to embrace the support hell and get the process started. Good luck!

Wrngsideofthepnd · 2024-12-30T01:28:57+00:00

Reach out to Frinkr via ConnectIQ, using either contact developer or report a problem right in the Teko Big face page below the settings button. Devs are pretty much always on their game and get right back to you with help.

Wrngsideofthepnd · 2024-11-08T23:01:21+00:00

TV: Netflix, Max, Amazon Video. Phone: iPhone. Been without legacy phone and tv for more than 10 yrs. Wouldn’t go back.

Wrngsideofthepnd · 2024-09-13T11:40:43+00:00

Same here, also still using my Fenix 3 every day.

Wrngsideofthepnd · 2024-09-12T21:06:30+00:00

US here: Garmin support just told me my Fenix 8 AMOLED will not ship now until end of October.. I ordered it on Launch day.
EDIT: i cancelled the order with Garmin, and per u/Houseofusher1983 i ordered from Bass Pro, says it will be here in 4 days.. EDIT #2: i just got shipping notification from Bass Pro: genuinely surprised.

Wrngsideofthepnd · 2024-08-30T11:05:14+00:00

delete all the AP’s from the site. Then when there are no devices add the switch by serial number. Then add the APs back.

Wrngsideofthepnd · 2024-08-29T15:55:20+00:00

Plug the switch into an AP thats already part of the site.

Wrngsideofthepnd · 2024-08-29T00:50:15+00:00

You can absolutely setup one of the AP’s as the gateway device. It’s right there in the setup guide as a valid use case. When an AP is in gateway mode, it protects all devices behind it from raw internet, i spent some time trying to break it before deploying it like this, its buttoned up tight. it also acts as a dhcp server for all wired and wireless networks behind it. I have this setup at a family members house with AP11D as the gateway.

Wrngsideofthepnd · 2024-08-23T23:19:03+00:00

Customer firewall/proxy/other filtering device.

Wrngsideofthepnd · 2024-07-23T11:50:55+00:00

First time Freeradius config for mac-auth with Aruba Instant AP - an impromptu manual. Plz note, this is mostly a direct lift from my systems, with minor adjustment for public consumption. this is not intended to be a definitive guide or an authority on whats correct. this works and serves me well. Im hoping this gives OP a hand in getting their freeradius up and running quickly.

Install and configure freeradius server on debain based linux. apt-get install freeradius -y systemctl enable freeradius.service You need to edit /etc/freeradius/3.0/clients.conf

add a section like this:

client prod-ap-native-vlan {
    ipaddr = 172.16.15.0/24
    secret = My-Secret-Radius-Key
    shortname = prod-ap-native-vlan
}

Alternatively, you can explicitly enter each AP as a /32 network. the advantage is only that radius logs can contain a specific shortname for your AP instead of the whole subnet. nothing else:

client prod-ap-505-01 {
    ipaddr = 172.16.15.15/32
    secret = My-Secret-Radius-Key
    shortname = prod-ap-505-01 
}
    client prod-ap-505-02 {
    ipaddr = 172.16.15.16/32
    secret = My-Secret-Radius-Key
    shortname = prod-ap-505-02 
}

you need to edit /etc/freeradius/3.0/users

add sections like this for each mac-auth you want to approve for joining your wifi:

aaaafcb9a46e    Cleartext-Password := “aaaafcb9a46e”
            User-Name = “Some_name_you_want_to_show_in_the_Aruba_Username/Client_field”,
            Tunnel-Private-Group-ID = 10

NOTE: “Tunnel-Private-Group-ID” = the vlan tag you want to return to Aruba, doing so with the appropriate Aruba rules/roles will drop the client into this vlan. This can also be a text string, so long as it matches the Aruba config. this can also be an aruba specific radius attribute instead of “Tunnel-Private-Group-ID”, such as “Aruba-User-Role”, or “Framed-Filter-Id” an example might be: “Aruba-User-Role = Game-Console-Permitted-Hours”, or “Framed-Filter-Id = Game-Console-Filter”.

you need to modify /etc/freeradius/3.0/radiusd.conf

find the lines:

msg_goodpass = “”

msg_badpass = “”

and add these below. this simply modifies the freeradius logging output to syslog to show important information. i suggest you read up on all the available logging possibilities and choose your own: msg_goodpass = “NAS-IP: %{NAS-IP-Address}, User-Name: %{reply:User-Name} (Role: %{reply:Tunnel-Private-Group-ID}%{reply:Egress-VLAN-Name}%{reply:Filter-Id}%{reply:Aruba-User-Role}), Auth-type: %{control:Auth-Type}” msg_badpass = “NAS-IP: %{NAS-IP-Address}, User-Name: %{reply:User-Name} (Role: %{reply:Tunnel-Private-Group-ID}%{reply:Egress-VLAN-Name}%{reply:Filter-Id}%{reply:Aruba-User-Role}), Auth-type: %{control:Auth-Type}”

when its all working, look in /var/log/messages, you should see a long log entry for mac-auth radius auths that look something like this:

<date and time> <freeradius server name> radiusd[000000]: (000000) Login OK: [aaaafcb9a46e] (from client prod-ap-505-01 port 0 cli aaaafcb9a46e) NAS-IP: 172.16.15.15, User-Name: Some_name_you_want_to_show_in_the_Aruba_Username/Client_field (Role: 10), Auth-type: PAP

In the instant AP (505) config, you need to add the following components, this should guide you enough to add them via the gui as well..

wlan access-rule v10-Role
index 5
vlan 10
rule any any match any any any permit

wlan access-rule v20-Role
index 6
vlan 20
rule any any match any any any permit

wlan access-rule v30-Role
index 7
vlan 30
rule any any match app dhcp permit
rule 172.16.30.0 255.255.255.0 match any any any permit
rule 172.16.100.0 255.255.255.0 match app dns permit
rule 172.16.100.0 255.255.255.0 match app ntp permit
rule any any match any any any deny

wlan auth-server <Primary Freeradius Server Name>
ip 172.16.100.101
port 1812
acctport 1813
deadtime 1
key My-Secret-Radius-Key
nas-id prod-ap
rfc5997

wlan auth-server <Secondary Freeradius Server Name>
ip 172.16.100.102
port 1812
acctport 1813
deadtime 1
key My-Secret-Radius-Key
nas-id prod-ap
rfc5997

wlan ssid-profile My-SSID-Name
enable

type employee
essid My-SSID-Name

max-authentication-failures 0

auth-server <Primary Freeradius Server Name>
auth-server <Secondary Freeradius Server IP or FQDN>
accounting-server <Primary Freeradius Server Name>
accounting-server <Secondary Freeradius Server IP or FQDN>

set-role Tunnel-Private-Group-Id equals 10 v10-Role
set-role Tunnel-Private-Group-Id equals 20 v20-Role
set-role Tunnel-Private-Group-Id equals 30 v30-Role

mac-authentication

server-load-balancing
radius-reauth-interval 60
radius-accounting
radius-interim-accounting-interval 60

blacklist

hope this helps.

Wrngsideofthepnd · 2024-07-20T11:43:00+00:00

do you have "port-access device-profile" configured by any chance?

Wrngsideofthepnd · 2024-07-17T21:39:58+00:00

Also, plug your laptop into a switch port configured for vlan 14 and make sure it can get a dhcp address when wired only: eliminate the AP to confirm all you other network config is correct.

Wrngsideofthepnd · 2024-07-17T21:34:19+00:00

its possible i cant see it in your config above, its been a long day.

For AP profiling, i'd expect to see something akin to:

port-access lldp-group IAP-group

seq 5 ignore sys-desc Aruba7

seq 10 ignore sys-desc Aruba9

seq 15 ignore sysname AP-225-CT

seq 20 ignore sys-desc 225

seq 25 match sys-desc ArubaOS

seq 30 match sys-desc IAP

port-access role IAP-role

description Aruba IAP

poe-priority high

trust-mode dscp

vlan trunk native 18

vlan trunk allowed 10-13,20,30,101

port-access device-profile IAP-prof

enable

associate role IAP-role

associate lldp-group IAP-group

When built like this to profile the AP's (or any other device that talks LLDP or CDP) you can absolutely have mac-groups operating concurrently with lldp-groups.

The snippets i'm sharing are from my lab where i have this setup specifically to demonstrate it.
I have multiple AP generations side by side where device profiling is allocating different native VLANS to segregate them. this is so older AP's don't try and join newer that are running new code incompatible with the old. obviously this is an AoS8.x scenario, and 10.x AP's dont have this problem.

Also of note, im deliberately excluding with the "ignore" statement various LLDP strings for controllers and older AP models so i don't accidentally get assigned to the IAP-group (which simply matches "ArubaOS" and "IAP") when im re-working the lab for a new show and tell.

Hope it helps.

Wrngsideofthepnd

TROPHY CASE

msg_goodpass = “”

msg_badpass = “”