ArubaOS and Controllers

Occasional Contributor II

where is my mistake about user-derivation-rules?


I want to configurate the user-derivation-rules in the AC.
And realize these functions:

When the notebook-A with mac 11:11:11:11:11:11 connect to the SSID, it get the "denyall" role, others notebook get the inital-role "logon"

But when I use my notebook-A to connect to the ssid, I still get the logon role in my AC, where did I make the mistake ?

I don't want to control the notebook-A by mac-address Authentication, I just want to know how to use the derivation-rules.

Thanks very much!

======================This is my config==============================================

aaa derivation-rules user notebook-derivation-rules
set role condition mac-addr equals "11:11:11:11:11:11" set-value denyall

aaa profile "default"
inital-role logon
aaa derivation-rules user notebook-derivation-rules

user-role logon
captive-portal "test"
session-acl logon-control
session-acl captiveportal
session-acl vpnlogon
ipv6 session-acl v6-logon-control
user-role authenticated
session-acl allowall
ipv6 session-acl v6-allowall

aaa authentication captive-portal "test"
server-group "internal"

local-uesedb add username luojichen password 19880815
Guru Elite

Re: where is my mistake about user-derivation-rules?

1. Turn on user debugging;

config t
logging level debugging user-debug mac 11:11:11:11:11:11

2. Delete the user from the user table:

aaa user delete mac 11:11:11:11:11:11

3. Associate the user and observe the role

4. Paste in the logs here:

show log user-debug 50
Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.
Search Airheads
Showing results for 
Search instead for 
Did you mean: