Role derivation based on MAC address for Open or PSK based SSID

Aruba Employee
Aruba Employee

There are several ways to assign user-role for a user and this article describes about how user-role could be assigned using role derivation based on MAC address for a Open or PSK based SSID.


Administrators can now differentiate roles for users connecting in Open or PSK based SSID based on MAC address.


Environment : This article applies to all Instant Access Points running 4.1 and later.


rtaImage (2).png


Create a new SSID as shown below


rtaImage (3).png


Choose VLAN assignment as needed

rtaImage (4).png


Security could be Open or PSK based.


rtaImage (5).png


Choose Role based under access rule and under Role assignment rules choose parameters as shown below and click finish.

In the below screenshot, a role derivation is created to assign clients in allow all role when their MAC address starts with 0061.


rtaImage (6).png


With the above configuration part is done.


From "show running-config" we could validate if role derivation based on MAC address has been applied to the created SSID.


rtaImage (7).png


The user who's mac address starts with 0061 got assigned in Allowall role where as other/rest of the user got assigned in "Guest" role in which we have restriction. Same can be seen from Web UI when clicked on client banner.


rtaImage (8).png


rtaImage (9).png


  1. Make sure the role derivation is properly configured in SSID profile(from CLI/WebUI) and also it contains MAC addresses for which ever user needs to be in Allowall role.
  • From WebUI:

rtaImage (10).png

  • From CLI:

rtaImage (11).png


Version history
Revision #:
1 of 1
Last update:
‎04-09-2015 04:17 AM
Updated by:
Labels (1)
Search Airheads
Showing results for 
Search instead for 
Did you mean: