Command of the Day

Reply
Guru Elite
Posts: 19,972
Registered: ‎03-29-2007

COTD: aaa user add a.b.c.d role <rolename>

Have you ever wanted to immediately change the role of a user? Your user might have gotten the wrong role and you want to switch him into the right role. This is what the aaa user add command is for: I have an exsting user, ip address 1.1.1.249 in the logon role below stuck at the captive portal:

(Aruba3600) #show user

Users
-----
IP MAC Name Role Age(d:h:m) Auth VPN link AP name Roaming Essid/Bssid/Phy Profile
---------- ------------ ------ ---- ---------- ---- -------- ------- ------- --------------- -------
1.1.1.249 00:25:07:37:b7:f2 logon 00:00:16 MeshPortal Wireless CatchMe/00:1a:1e:87:40:a0/g default-dot1x
1.1.1.250 00:21:6a:7d:eb:66 sbuhguest@cbcc.com guest 00:06:53 Web MeshPortal Wireless CP/00:1a:1e:72:40:a1/g-HT CP-aaa_prof

User Entries: 2/2


If I wanted to allow him to bypass the captive portal immediately, I would do "aaa user add 1.1.1.249 role guest" on the commandline and his role would be changed. He would then be able to access the internet without logging in.
Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
MVP
Posts: 485
Registered: ‎04-03-2007

Re: COTD: aaa user add a.b.c.d role <rolename>

This certainly has been useful for me in the past, especially when I want to test new or changed policies. Good addition to the COTD.
==========
Ryan Holland, ACDX #1 ACMX #1
The Ohio State University
Occasional Contributor II
Posts: 41
Registered: ‎09-07-2009

Re: COTD: aaa user add a.b.c.d role <rolename>

I did try this out on a controller running 3.3.2.18-rn-3.1.3 wired RAP-2 or RAP-5 users. After applying "aaa user add a.b.c.d role CORP", the user table said the role change to CORP, but the CORP ACL didn't apply properly and the user stays on the previous user role "QNET".

Is there something else that I need to do after executing this command?
Guru Elite
Posts: 19,972
Registered: ‎03-29-2007

aaa user add

Meesick,

You did not say if the user is tunneled, split tunneled, etc. If you use "show datapath sesson table " that will only show you flows for tunneled users or traffic going back to the controller for split-tunneled users. If you use "show datapath session ap-name table " it will show you all of the flows of that split-tunneled or bridged user and if they are being policied by the new firewall policy.

If you use the "aaa user add" command, any EXISTING flows that have already been initiated by the user will continue. If there are any NEW flows, those will be subject to the new firewall policies. To clear all of the existing flows, you would use "aaa clear-sessions "
Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Occasional Contributor II
Posts: 41
Registered: ‎04-03-2007

Re: COTD: aaa user add a.b.c.d role <rolename>

what about deleting the user sessions (aaa delete user x.x.x.x) and then creating a new one?

I have an issue once in a while when a client is closing their laptop and walking around from AP to AP that they cannot get a connection because of an existing session.
Occasional Contributor II
Posts: 41
Registered: ‎09-07-2009

Re: COTD: aaa user add a.b.c.d role <rolename>


Meesick,

You did not say if the user is tunneled, split tunneled, etc. If you use "show datapath sesson table " that will only show you flows for tunneled users or traffic going back to the controller for split-tunneled users. If you use "show datapath session ap-name table " it will show you all of the flows of that split-tunneled or bridged user and if they are being policied by the new firewall policy.

If you use the "aaa user add" command, any EXISTING flows that have already been initiated by the user will continue. If there are any NEW flows, those will be subject to the new firewall policies. To clear all of the existing flows, you would use "aaa clear-sessions "



Ah ha! Thanks, Colin!

This is in split tunneled mode.

On 3.3.2.18-rn-3.1.3, I can only find "aaa user clear-sessions" and not ""aaa clear-sessions". Does it do the same thing?

After doing "aaa user add" and "aaa user clear-sessions", the user role did change but the "AP name" also changed to "N/A". Here is what I see:

Users
-----
IP MAC Name Role Age(d:h:m) Auth VPN link AP name Roaming Essid/Bssid/Phy Profile Forward mode
---------- ------------ ------ ---- ---------- ---- -------- ------- ------- --------------- ------- ------------

172.1.1.240 00:1f:16:1d:fb:ed host/abc.com CORP 00:00:45 802.1x-Wired N/A Associated(Remote) /01:80:c2:00:00:03/wired CORP split tunnel
Guru Elite
Posts: 19,972
Registered: ‎03-29-2007

Firewall Policies

aaa user clear sessions IS the correct command. Thanks.

The N/A is a bug that has been identified in the RN code on split-tunnel users. The fix will appear in the upcoming ArubaOS 5.0 code.
Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Occasional Contributor II
Posts: 41
Registered: ‎09-07-2009

Re: COTD: aaa user add a.b.c.d role <rolename>


aaa user clear sessions IS the correct command. Thanks.

The N/A is a bug that has been identified in the RN code on split-tunnel users. The fix will appear in the upcoming ArubaOS 5.0 code.



Perfect! Thanks again!
Search Airheads
Showing results for 
Search instead for 
Did you mean: