ArubaOS and Controllers

Reply
MVP
Posts: 287
Registered: ‎11-04-2008

Confused server-group derivation rule

In configuration guide and in default profiles for server-group derivation rules, they always showed “set role condition Class value-of (?)”.


(NERHDC02) #show aaa server-group RADIUS-SVR

Role/VLAN derivation rules
---------------------------
Priority Attribute Operation Operand Type Action Value Validated
-------- --------- --------- ------- ---- ------ ----- ---------
1 Class value-of String set role Yes




When debug a dot1x client, this derivation rule causes error as seen in this log:




Things work better when I remove this server-group derivations rule:


  • For captive portal, the authenticated guest gets the role I defined in guest aaa profile, instead of Aruba default “guest” role.
  • For 802.1x authentications, no more errors in log.


What is this server-group derivation rule for? Any ideas?

Regards,

Trinh

~Trinh Nguyen~
Boys Town
Guru Elite
Posts: 20,759
Registered: ‎03-29-2007

What that is supposed to do


In configuration guide and in default profiles for server-group derivation rules, they always showed “set role condition Class value-of (?)”.



When debug a dot1x client, this derivation rule causes error as seen in this log:



Things work better when I remove this server-group derivations rule:


  • For captive portal, the authenticated guest gets the role I defined in guest aaa profile, instead of Aruba default “guest” role.
  • For 802.1x authentications, no more errors in log.


What is this server-group derivation rule for? Any ideas?

Regards,

Trinh




That derivation rule is supposed to receive a radius attribute "Class" and change the role of the user to whatever "Class" returns. You are getting that error, because you do not have any "Class" attribute returned from your radius server, OR the Class attribute that is returned, does not correspond to any role. That way you can have several conditions, for example, and return a different class attribute for each condition, and put users into a different role for each.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 287
Registered: ‎11-04-2008

Re: Confused server-group derivation rule

Thanks Colin. You hit the nail on the head!
~Trinh Nguyen~
Boys Town
Search Airheads
Showing results for 
Search instead for 
Did you mean: