Controllerless Networks

Reply
Occasional Contributor I

IAP OS: Add 2 variables to role assignment

Hi everyone,

 

Having a bit of an issue with a limitation of role assignment in aruba instantOS. I have a few rules setup to assign users to certain roles etc. But I am looking to block phones for our WiFi network now but I would like management to be exempt from this rule.

 

So I would really like to have:

devicetype = iphone AND user = staff THEN add to role denied.

 

But the instantOS only seems to give one variable option, I can do device type or user but not both.

 

Has anyone else come across this issue? Or is there another way I should be doing this?

 

Thanks guys!

Guru Elite

Re: IAP OS: Add 2 variables to role assignment

You would need an external policy server like ClearPass to execute that logic.

******************
Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.
******************
Occasional Contributor I

Re: IAP OS: Add 2 variables to role assignment

Wow, just had a look at the pricing for clearpass, i'm going to clear pass on that one!

Already spent a fortune on these instant APs, don't feel like I should have to spend thousands more just to block iphones for non-management staff.

Contributor I

Re: IAP OS: Add 2 variables to role assignment

That is pretty standard you will have to have another system able to profile the devices. Usually any system able to support radius could potentially do this. How do you get your users on a 802.1x enabled SSID?

Occasional Contributor I

Re: IAP OS: Add 2 variables to role assignment

The Aruba system does seem to be able to profile devices at the moment. I can select OS type = "iphone" and add them to a role called iphone. I also have staff assigned to a variable coming from radius and they can go in a seperate role with bandwidth restrictions etc. I just can't use both at the same time.

 

Using NPS on a Server 2012 box, but we're doing user authentication (to sperate our management etc) Rather than machine auth for the radius so as far as I am aware it can't profile the devices like we want.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: