Controller Based WLANs

When can we see users in the user-role "sys_mip_role"?
Q:

When can we see users in the user-role "sys_mip_role"? 

How is the "sys_mip_role" created on the controller? 



A:

When there is "IP mobility" configured between two controller, and when the users roam from HA to FA, the visitors on the FA are placed under a dynamically created user-role called "sys_mip_role_xxxxxx_yy", where xxxxxx is the last 24 bits of the MAC address of the FA and yy is the tunnel ID of the tunnel between the HA and the FA. 

For Example, 

We have two controllers  and "Controller-A" and "Controller-B", where "Controller-A" is the HA and "Controller-B" is the FA. 


The last 24 bit of "Controller-A" mac address is 213d8. 

(Controller-A)#show inventory | include MAC 
HW MAC Addr                   : 00:1a:1e:02:13:d8 to 00:1a:1e:02:13:f0


The last 24 bit of "Controller-B" mac address is 0dcc8. 

(Controller-B)#show inventory | include MAC 
HW MAC Addr                   : 00:1a:1e:00:dc:c8 to 00:1a:1e:00:dc:d0


In "Controller-A", we can see the user is away. 

(Controller-A)#show user-table  

Users
-----
    IP               MAC            Name                         Role                     Age(d:h:m)  Auth    VPN link  AP name         Roaming       Essid/Bssid/Phy               Profile       Forward mode  Type       Host Name
----------      ------------       ------                        ----                     ----------  ----    --------  -------         -------       ---------------               -------       ------------  ----       ---------

192.168.23.123  14:1a:a3:ab:67:55  testuser@test.com            guest                    00:07:04    Web               AP-123-12-AAAA   Away          MOBILITY/84:d4:7e:d4:65:c1/g   MOBILITY-AAA  tunnel        Android        

 

When the user roams to the FA, in "Controller-B", the same user is a visitor under the user-role is sys_mip_role_0dcc8_669, where 0dcc8 is the last part of the Hardware MAC address of "Controller-B" and 669 is the tunnel id of the tunnel between the HA and the FA. 

(Controller-B)#show user-table  

Users
-----
    IP               MAC            Name                      Role                    Age(d:h:m)  Auth    VPN link  AP name         Roaming   Essid/Bssid/Phy                  Profile       Forward mode  Type       Host Name
----------      ------------       ------                     ----                    ----------  ----    --------  -------         -------   ---------------                  -------       ------------  ----       ---------

192.168.23.123  14:1a:a3:ab:67:55  testuser@test.com         sys_mip_role_0dcc8_669  00:02:23    MAC               AP-456-12-AAAA   Visitor   MOBILITY/40:e3:d6:c4:54:21/g      MOBILITY-AAA  tunnel        Android  

 

The sys_mip_role_xxxxxx_yy is a dynamically created system role and hence cannot be edited. 

(Controller-B)#show rights | include sys_mip_role_0dcc8_669 
sys_mip_role_0dcc8_669      159  Up: No Limit,Dn: No Limit                                    sys_mip_sacl_0dcc8_669/,sys_mip_ethacl_0dcc8_669/                                                                                                                                            System (not editable) 

 

Version History
Revision #:
2 of 2
Last update:
‎03-29-2017 12:02 PM
Updated by:
 
Labels (1)
Contributors
Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.