Security

Reply
Contributor I

Another AAA profile user derivation rule question

Are there options to store user derivation rules within radius attributes or some other method of using them instead of entering them on the controller in the "user rules" section of the AAA profile?  I am setting options based on mac address before the user authenticates.

 

Guru Elite

Re: Another AAA profile user derivation rule question

You would just simply return the role or VLAN via RADIUS. No need for UDRs.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Guru Elite

Re: Another AAA profile user derivation rule question


abowen500 wrote:

Are there options to store user derivation rules within radius attributes or some other method of using them instead of entering them on the controller in the "user rules" section of the AAA profile?  I am setting options based on mac address before the user authenticates.

 


The short answer is yes, but the long answer will depend on what you are using user rules for.  What are you using the user derivation rules for?

 

******************
Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.
******************
Contributor I

Re: Another AAA profile user derivation rule question

I'm using them to set vlan and user role based on the client mac address.

Guru Elite

Re: Another AAA profile user derivation rule question

Are you using authentication via radius for users?  Why don't you set the VLAN by AD group, instead writing a rule for each mac address?

******************
Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.
******************
Guru Elite

Re: Another AAA profile user derivation rule question

Please see the post here:  http://community.arubanetworks.com/t5/Wireless-Access/Assigning-users-different-vlan-subnet-based-on-AD-group/m-p/61082/highlight/true#M2011

******************
Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.
******************
Contributor I

Re: Another AAA profile user derivation rule question

Prefer to use our perfectly capable Linux radius environment, our AD environment has proven to be inflexible by design and personnel. But I hear you.
Guru Elite

Re: Another AAA profile user derivation rule question

Okay, then you need to return the Aruba-User-Vlan Attribute to set the VLAN for users in your radius response.  If you are using Freeradius, you can import the Aruba VSA dictionary here:  https://support.arubanetworks.com/ToolsResources/tabid/76/DMXModule/514/EntryId/115/Default.aspx

******************
Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.
******************
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: