09-21-2016 07:35 AM
Please see the attached pictures. In our testing, we have been able to apply a user derivation rule to set both a vlan and a user access role to a client by its mac address. We have less than 20 special devices that need this treatment and we just wanted to make sure this is working as designed, not a bug, etc. It seems that the user derivation rules are checked multiple times or multiple settings are applied if it's a single pass through.
The first picture shows a sample of the rules that set the vlan and authenticated user role. The second picture shows the user rule configuration screen where we are applying these settings.
09-21-2016 08:11 AM
What type of authentication is used on this network? Using User Derived Rules (UDRs) are useful when you have some exceptions to the norm for a specific AAA profile. If you are using an external authentication server (RADIUS for 802.1X or MAC Authentication), you can set some of this from that end and not have to maintain the UDR on the controllers.
It seems from your question, that things are working? So what exactly are you asking? Also reference the attached authentication/role derivation workflow.
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX
09-21-2016 08:21 AM
Thanks clembo. We want this to occur before authentication because many of these devices can't join an 802.1x network and don't have browsers for use with a capitve portal.
This is working but I'm concerned about page 391 in the 6.4.x manual. It says that the order of rules is important and the first match condition is applied. In my example, the same MAC address is in two rules. The first rule sets the vlan, the second sets the user role. So it's being matched twice.
"Working with User-Derived VLANs
Attributes derived from the client’s association with an AP can be used to assign the client to a specific role or VLAN, as user-derivation rules are executed before the client is authenticated.
You configure the user role or VLAN to be assigned to the client by specifying condition rules; when a condition is met, the specified user role or VLAN is assigned to the client. You can specify more than one condition rule; the order of rules is important as the first matching condition is applied. You can optionally add a description of the user rule."
Again, this is working well and I just want to make sure that the behavior I'm seeing is legit.
09-21-2016 08:40 AM
On the CLI, the commands imply that these are actually seperate:
aaa derivation-rules user MAC-Auth-List
set vlan condition macaddr equals "12:34:56:78:90:AA" set-value 1 description "Test"
set role condition macaddr equals "12:34:56:78:90:AA" set-value authenticated description "Test"