ArubaOS and Controllers

Reply
Occasional Contributor II
Posts: 49
Registered: ‎06-22-2009

Assign different role than default role for VPN/VIA users?

Is there a way to assign a different role than the default role to VPN (IPsec or VIA) users? Even if there is a role set for the user in the local db or an external freeRadius server (filter-id), it always takes the default role configured in the profile, e.g. default-vpn-role or default-via-role. The goal would be to use different roles for different VPN users.
If I use the same server group for e.g. Captive Portal, it works fine and assigns the correct role.
I'm working with release 6.1.1.0 and have the PEFV installed.

Thank you for your help in advance!
Guru Elite
Posts: 21,512
Registered: ‎03-29-2007

Re: Assign different role than default role for VPN/VIA users?


Is there a way to assign a different role than the default role to VPN (IPsec or VIA) users? Even if there is a role set for the user in the local db or an external freeRadius server (filter-id), it always takes the default role configured in the profile, e.g. default-vpn-role or default-via-role. The goal would be to use different roles for different VPN users.
If I use the same server group for e.g. Captive Portal, it works fine and assigns the correct role.
I'm working with release 6.1.1.0 and have the PEFV installed.

Thank you for your help in advance!




The key is the server derivation rule in the server group, that you use in the VPN authentication profile. Go to Configuration> Security> Authentication> L3 Authentication> VPN Authentication Profile> Default. When you click on default, there is a server group called "Default" that has a single server (Internal) and a server derivation rule that says "role, value-of, string, set role. That is a built-in server derivation rule that says, if a user is in the Internal database, apply whatever role he has assigned in the Internal database, instead of the default VPN role. You could create your own server group and apply it here, instead. Your server group would have your radius server and a server derivation rule that says "filter-id contains X, set role to Y", which would look for the filter-id variable from your radius server and apply the role specified.

Turn on user debugging to find out why a user gets the role he gets:

config t
logging level debug user
show log user 50


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 49
Registered: ‎06-22-2009

Re: Assign different role than default role for VPN/VIA users?

Thank you for your feedback. The server derivation rule is set accordingly but the role is not taken into account at the end:


Sep 22 10:26:00 :522038: |authmgr| username=user1 MAC=00:00:00:00:00:00 IP=10.10.11.1 Authentication result=Authentication Successful method=VIA-VPN server=free_radius
Sep 22 10:26:00 :522017: |authmgr| MAC=00:00:00:00:00:00 IP=?? Derived role 'via_role' from server rules: server-group=free_radius, authentication=VIA-VPN
Sep 22 10:26:00 :522004: |authmgr| Sending pool l2tp default-l2tp-pool, pptp default-pptp-pool in auth PAP response
Sep 22 10:26:00 :522004: |authmgr| {L3} Update role from logon to logon for IP=0.0.0.0
Sep 22 10:26:00 :522004: |authmgr| Reset BWM contract: IP=0.0.0.0 role=logon, contract= (0/0), type=Per role
Sep 22 10:26:00 :522006: |authmgr| MAC=00:00:00:00:00:00 IP=192.168.91.165 User entry added: reason=VPN
Sep 22 10:26:00 :522012: |authmgr| MAC=00:00:00:00:00:00 IP=192.168.91.165 IP UP: outerIP=10.10.11.1 tunnels=2
Sep 22 10:26:00 :522004: |authmgr| {L3} Update role from logon to default-via-role for IP=192.168.91.165
Sep 22 10:26:00 :522004: |authmgr| Reset BWM contract: IP=192.168.91.165 role=default-via-role, contract= (0/0), type=Per role
Sep 22 10:26:00 :522004: |authmgr| download: ip=192.168.91.165 acl=74/0 role=default-via-role, Ubwm=0, Dbwm=0 tunl=0x0, PA=0, HA=1, RO=0, VPN=0
Sep 22 10:26:00 :522008: |authmgr| User Authentication Successful: username=user1 MAC=00:00:00:00:00:00 IP=192.168.91.165 role=default-via-role VLAN=1 AP=N/A SSID=N/A AAA profile= auth method=VIA-VPN auth server=N/A
Sep 22 10:26:00 :522004: |authmgr| download: ip=192.168.91.165 acl=74/0 role=default-via-role, Ubwm=0, Dbwm=0 tunl=0x0, PA=0, HA=1, RO=0, VPN=0



It works fine if I do the authentication via Captive Portal. I'm going to open a case for this. Thank you for your help.
Guru Elite
Posts: 21,512
Registered: ‎03-29-2007

Re: Assign different role than default role for VPN/VIA users?

The 6.1.2.3 release notes says that there is a bug, 55503 which says it is NOT fixed, but I see information otherwise that it is fixed in 6.1.2.3. Could you try 6.1.2.3 and see if it works?

"A problem with the auth module’s handling of server derived roles has been identified. Specifically, server role derivation for wired VPN users authenticating against a RADIUS server does not happen. The users are placed in the default VPN role instead of the server derivation role.

Workaround:
None."


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 49
Registered: ‎06-22-2009

Re: Assign different role than default role for VPN/VIA users?

I just upgraded to the 6.1.2.3 release and it seems to be fixed there. At least for VIA clients (couldn't check standard IPsec client yet).


Sep 22 11:30:39 :522038: |authmgr| username=user1 MAC=00:00:00:00:00:00 IP=10.10.11.1 Authentication result=Authentication Successful method=VIA-VPN server=free_radius
Sep 22 11:30:39 :522017: |authmgr| MAC=00:00:00:00:00:00 IP=?? Derived role 'via_role' from server rules: server-group=free_radius, authentication=VIA-VPN
Sep 22 11:30:39 :522004: |authmgr| Sending pool l2tp default-l2tp-pool, pptp default-pptp-pool in auth PAP response
Sep 22 11:30:39 :522004: |authmgr| {L3} Update role from logon to logon for IP=0.0.0.0
Sep 22 11:30:39 :522049: |authmgr| MAC=00:00:00:00:00:00,IP=0.0.0.0 User role updated, existing Role=none/none, new Role=none/logon, reason=First IP user created
Sep 22 11:30:39 :522004: |authmgr| Reset BWM contract: IP=0.0.0.0 role=logon, contract= (0/0), type=Per role
Sep 22 11:30:39 :522006: |authmgr| MAC=00:00:00:00:00:00 IP=192.168.91.26 User entry added: reason=VPN
Sep 22 11:30:39 :522012: |authmgr| MAC=00:00:00:00:00:00 IP=192.168.91.26 IP UP: outerIP=10.10.11.1 tunnels=3
Sep 22 11:30:39 :522004: |authmgr| {L3} Update role from logon to via_role for IP=192.168.91.26
Sep 22 11:30:39 :522049: |authmgr| MAC=00:00:00:00:00:00,IP=192.168.91.26 User role updated, existing Role=none/logon, new Role=none/via_role, reason=User authenticated with auth type:28role derivation:2 l3 assigned role:None
Sep 22 11:30:39 :522004: |authmgr| Reset BWM contract: IP=192.168.91.26 role=via_role, contract= (0/0), type=Per role
Sep 22 11:30:39 :522050: |authmgr| MAC=00:00:00:00:00:00,IP=192.168.91.26 User data downloaded to datapath, new Role=via_role/71, bw Contract=0/0,reason=Download driven by user role setting
Sep 22 11:30:39 :522004: |authmgr| download: ip=192.168.91.26 acl=71/0 role=via_role, Ubwm=0, Dbwm=0 tunl=0x0, PA=0, HA=1, RO=0, VPN=0
Sep 22 11:30:39 :522008: |authmgr| User Authentication Successful: username=user1 MAC=00:00:00:00:00:00 IP=192.168.91.26 role=via_role VLAN=1 AP=N/A SSID=N/A AAA profile= auth method=VIA-VPN auth server=N/A
Sep 22 11:30:39 :522050: |authmgr| MAC=00:00:00:00:00:00,IP=192.168.91.26 User data downloaded to datapath, new Role=via_role/71, bw Contract=0/0,reason= IP up for non VPN transport


Thank you for this hint! Have a nice day.
Search Airheads
Showing results for 
Search instead for 
Did you mean: