Security

How is user role determined from WPA2-PSK method of authentication?

 

 

By default, the user-role is what is defined as the initial role in the AAA profile. You can also use user derivation rules or RADIUS with MAC authentication for dynamic role assignment.

Ahhhh....so you can't define a post-authentication role for that method? 

No, because no authentication has occurred. You would need to add MAC authentication.

Hi Tim,

 

You said:

 

No, because no authentication has occurred.

 

With WPA2-PSK you must enter the preshared key when you connecto to the network and the controller checks that preshared key, it is correct you can access the network, otherwise you can't. For me this is a kind of authentication, do you mean an authentication based on user?

 

Regards,

Julián

I think Tim means that no authentication has occurred against Clearpass.  I asked a similar question a while back here: https://community.arubanetworks.com/t5/Security/PSK-SSID-Endpoint-Repository-for-role-assignment/m-p/297425#M31804

 

Once MAC auth was configured, I was able to leverage additional authorization steps against Clearpass to determine which role the client should be getting.

Hi Tim.

 

Does this mean you can do PSK auth, have a device get the AAA initial role, then have that role subsequently changed by a user derivation rule?   It says in the docs that user derivation rules apply pre-authentication, I thought that meant it would only apply to open SSID users.  Please confirm.  thank you.

 

Neal

Yes, the deriviation rule would be evaluated.