Security

Reply
Contributor I
Posts: 22
Registered: ‎09-07-2011

Another AAA profile user derivation rule question

Are there options to store user derivation rules within radius attributes or some other method of using them instead of entering them on the controller in the "user rules" section of the AAA profile?  I am setting options based on mac address before the user authenticates.

 

Guru Elite
Posts: 8,335
Registered: ‎09-08-2010

Re: Another AAA profile user derivation rule question

You would just simply return the role or VLAN via RADIUS. No need for UDRs.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Guru Elite
Posts: 20,819
Registered: ‎03-29-2007

Re: Another AAA profile user derivation rule question


abowen500 wrote:

Are there options to store user derivation rules within radius attributes or some other method of using them instead of entering them on the controller in the "user rules" section of the AAA profile?  I am setting options based on mac address before the user authenticates.

 


The short answer is yes, but the long answer will depend on what you are using user rules for.  What are you using the user derivation rules for?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I
Posts: 22
Registered: ‎09-07-2011

Re: Another AAA profile user derivation rule question

I'm using them to set vlan and user role based on the client mac address.

Guru Elite
Posts: 20,819
Registered: ‎03-29-2007

Re: Another AAA profile user derivation rule question

Are you using authentication via radius for users?  Why don't you set the VLAN by AD group, instead writing a rule for each mac address?



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Guru Elite
Posts: 20,819
Registered: ‎03-29-2007

Re: Another AAA profile user derivation rule question

Please see the post here:  http://community.arubanetworks.com/t5/Wireless-Access/Assigning-users-different-vlan-subnet-based-on-AD-group/m-p/61082/highlight/true#M2011



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I
Posts: 22
Registered: ‎09-07-2011

Re: Another AAA profile user derivation rule question

Prefer to use our perfectly capable Linux radius environment, our AD environment has proven to be inflexible by design and personnel. But I hear you.
Guru Elite
Posts: 20,819
Registered: ‎03-29-2007

Re: Another AAA profile user derivation rule question

Okay, then you need to return the Aruba-User-Vlan Attribute to set the VLAN for users in your radius response.  If you are using Freeradius, you can import the Aruba VSA dictionary here:  https://support.arubanetworks.com/ToolsResources/tabid/76/DMXModule/514/EntryId/115/Default.aspx



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: