Clients not getting role based on access rule if operend is MAC address or DHCP option ?

Aruba Employee
Q:

Clients not getting role based on access rule if operand is MAC address or DHCP option ?



A:

Below information is required for mac authentication. 

While configuring attribute as mac address/dhcp-option for role based assignment , we might notice that client getting default role instead of the role mentioned.


Command: show derivation-rules 

SSID:test
Role Derivation Rules
---------------------
Attribute    Operation  Operand            Role Name  Index  Hits
---------    ---------  -------            ---------  -----  ----
mac-address  contains   f8:cf:c5:7c:9c:c5  mac-based  8       0


Jan  1 15:47:42  stm[2812]: is_ssid_authentication_mac_enabled: 10400: essid test mac authentication enable 
Jan  1 15:47:42  stm[2812]: pap_authenticate:  auth_type :2, username :f8:cf:c5:7c:9c:c5, essid test
Jan  1 15:47:42  stm[2812]: pap_authenticate after convert the username f8:cf:c5:7c:9c:c5 and password f8:cf:c5:7c:9c:c5
Jan  1 15:47:42  stm[2812]: __HIGHER_PRECEDENCE_COMPARE: 1076: matched_rule_index=67fff, sap_sta->acl_rule_index=0, precedence_result=1
Jan  1 15:47:42  cli[2788]: <541004> <WARN> |AP 04:bd:88:cd:5c:04@10.1.1.253 cli|  recv_stm_sta_update: receive station msg, mac-f8:cf:c5:7c:9c:c5 bssid-04:bd:88:55:c0:41 essid-test.
Jan  1 15:47:42  stm[2812]: stm_send_sta_update: Sending sta update msg to CLI0, mac='f8:cf:c5:7c:9c:c5'
Jan  1 15:47:42  stm[2812]: user_auth_handler: 10929: Get session timeout '0', idle timeout '1000', username 'f8:cf:c5:7c:9c:c5' 
Jan  1 15:47:42  cli[2788]: <541004> <WARN> |AP 04:bd:88:cd:5c:04@10.1.1.253 cli|  recv_stm_sta_update: receive station msg, mac-f8:cf:c5:7c:9c:c5 bssid-04:bd:88:55:c0:41 essid-test.
Jan  1 15:47:42  stm[2812]: stm_send_sta_update: Sending sta update msg to CLI0, mac='f8:cf:c5:7c:9c:c5'
Jan  1 15:47:42  stm[2812]: stm_start_acct_for_post_1xauth_user: 17266: ip not ready for sta 'f8:cf:c5:7c:9c:c5' 
Jan  1 15:47:42  stm[2812]: recv_radius_acct_multi_session_id: 17223: got mac='f8:cf:c5:7c:9c:c5', name='(null)', start_time='56862 (Thu Jan  1 15:47:42 1970 )'
Jan  1 15:47:42  stm[2812]: stm_start_acct_for_post_1xauth_user: 17266: ip not ready for sta 'f8:cf:c5:7c:9c:c5' 
Jan  1 15:47:42  dnsmasq-dhcp[11284]: Vlan id: 3333 
Jan  1 15:47:42  dnsmasq-dhcp[11284]: DHCPREQUEST(br0) 172.31.98.124 f8:cf:c5:7c:9c:c5 
Jan  1 15:47:42  dnsmasq-dhcp[11284]: DHCPACK(br0) 172.31.98.124 f8:cf:c5:7c:9c:c5 android-a18a87cd64a46b1d


This issue could be noticed if the mac address mentioned in the String column has any delimiter.
By design we should not include any delimiter in operand for mac-address or dhcp-option based derivation.

To avoid this we should use the mac address in below format.

set-role mac-address contains f8cfc57c9cc5 mac-based

Version history
Revision #:
2 of 2
Last update:
‎08-08-2016 12:18 PM
Updated by:
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: