Security

Reply
Frequent Contributor II
Posts: 130
Registered: ‎08-07-2013

User Rules

I'm trying to apply a user rule to our primary SSID to put Windows XP devices into a limited role. I was testing with moving a specific mac address into a new role and I can see the number of hits incrementing but the set role is never applied.

 

Authentication User Rules.png

 

Here is where I am applying it to the AAA profile:

Authentication Profiles.png

 

It seems that I'm missing something and I was hoping for a nudge in the right direction.

 

Thanks,


Rosie

MVP
Posts: 4,309
Registered: ‎07-20-2011

Re: User Rules

what role did it get applied ?

 

 

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Frequent Contributor II
Posts: 130
Registered: ‎08-07-2013

Re: User Rules

The role it gets is from the radius server rules passed by NPS.

Guru Elite
Posts: 8,775
Registered: ‎09-08-2010

Re: User Rules

You cannot override a rule sent as a VSA

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor II
Posts: 130
Registered: ‎08-07-2013

Re: User Rules

Do you know if I can create an NPS rule to set role based on a dhcp fingerprint? I account for all login cases via the VSA so it sounds like user deravations wouldn't work at all then.

 

Thanks,

 

Eric

Guru Elite
Posts: 8,775
Registered: ‎09-08-2010

Re: User Rules

[ Edited ]

I don't believe NPS can profile a device or use DHCP fingerprints.

 

Does this SSID serve only corp assets or BYOD as well? 

 

If they're all domain joined, you can script the creation of a group with all the xp machines in it and use that group in your policy. 


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Aruba
Posts: 1,377
Registered: ‎12-12-2011

Re: User Rules

[ Edited ]

take a look here:

 Role-Derivation.jpg

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Frequent Contributor II
Posts: 130
Registered: ‎08-07-2013

Re: User Rules

 

cappalli wrote:

I don't believe NPS can profile a device or use DHCP fingerprints.

 

Does this SSID serve only corp assets or BYOD as well? 

 

If they're all domain joined, you can script the creation of a group with all the xp machines in it and use that group in your policy. 


The SSID serves all users and none of the machines should be joined to the domain anymore. Most of them are BYOD.

Frequent Contributor II
Posts: 130
Registered: ‎08-07-2013

Re: User Rules


SethFiermonti wrote:

take a look here:

 Role-Derivation.jpg


Thanks for the visual!

Search Airheads
Showing results for 
Search instead for 
Did you mean: