Controllerless Networks

Reply
Occasional Contributor II

Role-based access rules not being applied

I have created a Role based access rule on an Instant AP 105 that is to be applied to the client based on the ssid they connect to. However, the only access rule that is ever applied is from the default Role created when creating an ssid. Any idea why the Role based access rule never gets applied and the Role never changes?

 

Attribute = aruba-essid-name Operator = equals String = RED Role = IG

 

When clients connect to ssid RED they should get Role "IG", yes? But instead they only get the default Role. What am I missing?

Aruba

Re: Role-based access rules not being applied

Are you doing machine auth as well? could explain why the role is not getting applied as you need to auth both the device and the user for this to occur. What is your auth mechanism? internal to the IAP? Captive Portal? External Radius?

 

Can you post some of your config removing any client specifics? WLAN section as well as Auth and roles.

 

Adam



| Adam Kennedy, Systems Engineer - adamk@hpe.com

| Service Providers – Aruba, an HPE Company

| Twitter: @adam8021x | Airheads: akennedy
Occasional Contributor II

Re: Role-based access rules not being applied

No machine auth. Just basic WPA-2 Personal. Here is the snippet of config I think would be setting the Role:

 

wlan ssid-profile RED
 index 0
 type employee
 essid RED
 wpa-passphrase d4f4ce460e56ce7adaa288a43e9c4ffac5d784fafda7720c
 opmode wpa2-psk-aes
 max-authentication-failures 0
 auth-server InternalServer
 set-role Aruba-Essid-Name equals RED IG
 rf-band all
 captive-portal disable

 

However, the only Role that gets applied is the default Role that gets created when the ssid is created.

 

Then the next question: Can you only apply one Role-based access rule set per IAP. I have a BLUE ssid created that has a default BLUE Role-based rule set. BUT, when I apply the BLUE Role-based rule set to the BLUE ssid it appears to save but when I go back in and look at the Access tab it has the Access set to Network-Based with the rules I created for the BLUE Role???

Aruba

Re: Role-based access rules not being applied

What code version are you running? I'm running 3.3.0.2 on a 2x IAP cluster I have up in my lab and I'm seeing the same issue. Confirm version and I will ping PLM internally. Note if this is/was a known issue, it may be patched in current code - but my IAP's are live on our cloud management platform and there is a slight lag b/w current GA code and supported code on Aruba Central.

 

Please confirm.

 

Adam



| Adam Kennedy, Systems Engineer - adamk@hpe.com

| Service Providers – Aruba, an HPE Company

| Twitter: @adam8021x | Airheads: akennedy
Occasional Contributor II

Re: Role-based access rules not being applied

6.2.0.0-3.2.0.4_38110 and 6.2.1.0-3.4.0.3_40346

 

Seems to be happening on both.

Aruba

Re: Role-based access rules not being applied

Thanks, leave it with me for the moment...will reply back asap.

 

Adam



| Adam Kennedy, Systems Engineer - adamk@hpe.com

| Service Providers – Aruba, an HPE Company

| Twitter: @adam8021x | Airheads: akennedy
Occasional Contributor II

Re: Role-based access rules not being applied

FYI - after opening a case with TAC I was told that Role-based access control only works when using an external auth server, RADIUS.

Aruba

Re: Role-based access rules not being applied

kconley, thanks for sharing your findings - could of sworn you could do this in a previous release - but trust those in TAC. Have a thread on this internally and if anything of interest comes up, will post back. Cheers and thanks!



| Adam Kennedy, Systems Engineer - adamk@hpe.com

| Service Providers – Aruba, an HPE Company

| Twitter: @adam8021x | Airheads: akennedy
Aruba Employee

Re: Role-based access rules not being applied

Hi,


We do support role derivation without using an external RADIUS server, but we can only derive based on inherent attributes such mac address, and not RADIUS attributes such as Aruba-Essid-Name.

 

Also, could I ask why we are trying to derive based on Arub-Essid-Name?  Because it seems redudant as the default role is already per-SSID.  If the goal is to define a different access policy for each SSID, then just setting the policy in the default role (or just using network-based access control), should be enough.

 

Role derviation is geared toward giving different roles to different clients even if they are on the same SSID.

 

Thanks,


Yan

Occasional Contributor II

Re: Role-based access rules not being applied

Role-based is how we were shown to do it in a sales pitch by an aruba "guru". Thought it even worked. I have it working through network-based and see no reason to do it any other way. Thanks!

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: