Security

Please see the attached pictures.  In our testing, we have been able to apply a user derivation rule to set both a vlan and a user access role to a client by its mac address.  We have less than 20 special devices that need this treatment and we just wanted to make sure this is working as designed, not a bug, etc.  It seems that the user derivation rules are checked multiple times or multiple settings are applied if it's a single pass through.

The first picture shows a sample of the rules that set the vlan and authenticated user role.  The second picture shows the user rule configuration screen where we are applying these settings.

Thanks!

-Alan

What type of authentication is used on this network?    Using User Derived Rules (UDRs) are useful when you have some exceptions to the norm for a specific AAA profile.    If you are using an external authentication server (RADIUS for 802.1X or MAC Authentication), you can set some of this from that end and not have to maintain the UDR on the controllers. 

It seems from your question, that things are working?   So what exactly are you asking?    Also reference the attached authentication/role derivation workflow.

Thanks clembo.  We want this to occur before authentication because many of these devices can't join an 802.1x network and don't have browsers for use with a capitve portal.  

This is working but I'm concerned about page 391 in the 6.4.x manual.  It says that the order of rules is important and the first match condition is applied.  In my example, the same MAC address is in two rules.  The first rule sets the vlan, the second sets the user role. So it's being matched twice.

"Working with User-Derived VLANs

Attributes derived from the client’s association with an AP can be used to assign the client to a specific role or VLAN, as user-derivation rules are executed before the client is authenticated.

You configure the user role or VLAN to be assigned to the client by specifying condition rules; when a condition is met, the specified user role or VLAN is assigned to the client. You can specify more than one condition rule; the order of rules is important as the first matching condition is applied. You can optionally add a description of the user rule."

Again, this is working well and I just want to make sure that the behavior I'm seeing is legit.

On the CLI, the commands imply that these are actually seperate:

aaa derivation-rules user MAC-Auth-List
set vlan condition macaddr equals "12:34:56:78:90:AA" set-value 1 description "Test"
set role condition macaddr equals "12:34:56:78:90:AA" set-value authenticated description "Test"

Dear All,

I am doing MAC based authentication through internal server on aruba controller.,it working fine.

but i want to change Role from default mac role to user drive role for one of my Device .

I have created User rule through Mac adress and used the same rule in AAA profile by selecting User drive Rule.

It is not Working for Me. device is geting default mac rule.