Command of the Day

Reply
Aruba Employee
Posts: 34
Registered: ‎03-29-2007

COTD: aaa derivation-rules

Did you know about this command?
"aaa derivation-rules"
You probably did yes, but did you know everything that it can do?
There are 2 major subsections to this command. Server rules and user rules. Server rules are processed *when the user is successfully authenticated by the named auth server*. User rules are processed *when associated*.
Server rule examples ("aaa derivation-rules server my-radius-server"):
"set role condition Filter-id value-of": set the role of the user to the value of what is returned by the server in the Filter-id attribute
"set vlan condition Filter-id value-of": set the VLAN of the user to the value of what is returned by the server in the Filter-id attribute
"set role condition Filter-id equal 34 set-value thirty-fourth-floor" specify the role of the user based on an exact match of the Filter-id attribute. Note there are many variants of this, like "begins-with" etc.
User rule examples ("aaa derivation-rules user"):
"set role condition macaddr start-with 00:12:34 set-value voip-role" Set the role of the user to "voip-role" if the user has an OUI of "00:12:34" aka OUI authentication
"set role condition encryption-type equals wep set-value restrictive-role" Set the role of any user connecting with WEP encryption to be "restrictive role".
Advanced usage:
Here are the items that can be used in a user derivation rule:
bssid, dhcp-option-77, encryption-type, essid, location, macaddr
What's dhcp-option-77? Ref: http://www.ietf.org/rfc/rfc3004.txt
You can ALSO use these in a _server_ based derivation rule like this:
aaa derivation-rules server my-radius-server
set role condition location equals 10.0.0 set-value "dorms"
This means that you can easily apply different roles for 802.1x authenticated users, depending on their location, their essid, encryption-type etc. What's the difference between this and a user based location derivation? The user based rule is applied _when associated_, ie before any authentication and then 802.1x authentication occurs thereby overriding the role with the default 802.1x role. This lets you change the derived role based on successful server authentication ASWELL as specific user attributes.
Search Airheads
Showing results for 
Search instead for 
Did you mean: