Security

Are there options to store user derivation rules within radius attributes or some other method of using them instead of entering them on the controller in the "user rules" section of the AAA profile?  I am setting options based on mac address before the user authenticates.

 

You would just simply return the role or VLAN via RADIUS. No need for UDRs.

---

@abowen500 wrote:

Are there options to store user derivation rules within radius attributes or some other method of using them instead of entering them on the controller in the "user rules" section of the AAA profile?  I am setting options based on mac address before the user authenticates.

 

---

The short answer is yes, but the long answer will depend on what you are using user rules for.  What are you using the user derivation rules for?

 

I'm using them to set vlan and user role based on the client mac address.

Are you using authentication via radius for users?  Why don't you set the VLAN by AD group, instead writing a rule for each mac address?

Please see the post here:  http://community.arubanetworks.com/t5/Wireless-Access/Assigning-users-different-vlan-subnet-based-on-AD-group/m-p/61082/highlight/true#M2011

Prefer to use our perfectly capable Linux radius environment, our AD environment has proven to be inflexible by design and personnel. But I hear you.

Okay, then you need to return the Aruba-User-Vlan Attribute to set the VLAN for users in your radius response.  If you are using Freeradius, you can import the Aruba VSA dictionary here:  https://support.arubanetworks.com/ToolsResources/tabid/76/DMXModule/514/EntryId/115/Default.aspx