ArubaOS and Controllers

Reply
Occasional Contributor II

where is my mistake about user-derivation-rules?

HI,

I want to configurate the user-derivation-rules in the AC.
And realize these functions:

When the notebook-A with mac 11:11:11:11:11:11 connect to the SSID, it get the "denyall" role, others notebook get the inital-role "logon"

But when I use my notebook-A to connect to the ssid, I still get the logon role in my AC, where did I make the mistake ?

I don't want to control the notebook-A by mac-address Authentication, I just want to know how to use the derivation-rules.

Thanks very much!


======================This is my config==============================================

aaa derivation-rules user notebook-derivation-rules
set role condition mac-addr equals "11:11:11:11:11:11" set-value denyall


aaa profile "default"
inital-role logon
aaa derivation-rules user notebook-derivation-rules

user-role logon
captive-portal "test"
session-acl logon-control
session-acl captiveportal
session-acl vpnlogon
ipv6 session-acl v6-logon-control
!
user-role authenticated
session-acl allowall
ipv6 session-acl v6-allowall
!

aaa authentication captive-portal "test"
server-group "internal"
guest-logon
protocol-http


local-uesedb add username luojichen password 19880815
Guru Elite

Re: where is my mistake about user-derivation-rules?

1. Turn on user debugging;

config t
logging level debugging user-debug mac 11:11:11:11:11:11

2. Delete the user from the user table:

aaa user delete mac 11:11:11:11:11:11

3. Associate the user and observe the role

4. Paste in the logs here:

show log user-debug 50


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: