Security

Reply
Regular Contributor I
Posts: 190
Registered: ‎04-27-2009

User-derived VLAN assignment based on MAC-adress / max. entries 11, priority list ?

Hi

trying to solve some little challenge and hopefully thought that User-rules would/could help here, im using one SSID for corporate access and everyone's getting "authenticated" role. 

 

so far so good, worked for years fine. now i want to separate few clients on this VAP to be in another VLAN where another subnet is used so i can proper separate on the gateway firewall regarding policies/rules etc. i have PEFNG but im not using the firewall stuff on the Controller , we handle this on a central firewall before it hits the internet.

 

while DHCP reservation is not possible on controller i had the idea to use the "user rules" tab in the authentication area to just have approx 15clients be put into another separate VLAN where controller does DHCP for a subnet .

 

i wonder why the priority list of the user rules only accepts 11 entries on the webui ,. when trying to add a 12th entry it overwrittes the 11th entry ? 

 

why is there a limit of 11 , doesnt make sense. perhaps this shouldnt be mis-used for my challenge? after reading userguide ArubaOS 6.3 (currently run 6.3.1.14 on that MC3200 cause we have lots of old AP's not supported in AOS 6.4) the guide says :

 

Working with User-Derived VLANs
Attributes derived from the client’s association with an AP can be used to assign the client to a specific role or
VLAN, as user-derivation rules are executed before the client is authenticated.
You configure the user role or VLAN to be assigned to the client by specifying condition rules; when a condition is
met, the specified user role or VLAN is assigned to the client. You can specify more than one condition rule; the order
of rules is important as the first matching condition is applied. You can optionally add a description of the user rule.

so my CLI config is like this , not sure if it's a mis-usage what im trying to solve, perhaps it would make more sense to try it with a MAC_authentication role. but i would like to set a vlan based on the mac-adress thats why i tried with user-rules .

 

(Aruba3400) #show aaa derivation-rules user Auth-MAC-VLAN

User Rule Table
---------------
Priority  Attribute  Operation  Operand/Group      Action    Value  Total Hits  New Hits  Description
--------  ---------  ---------  -------------      ------    -----  ----------  --------  -----------
1         macaddr    equals     00:21:6a:xx:xx:xx  set vlan  2103   0           0         
2         macaddr    equals     28:B2:BD:xx:xx:xx  set vlan  2103   0           0         
3         macaddr    equals     00:19:D2:xx:xx:xx  set vlan  2103   0           0         
4         macaddr    equals     00:21:6a:xx:xx:xx  set vlan  2103   0           0         
5         macaddr    equals     A4:4E:31:xx:xx:xx  set vlan  2103   0           0         
6         macaddr    equals     5C:C5:D4:xx:xx:xx  set vlan  2103   0           0         
7         macaddr    equals     A4:4E:31:xx:xx:xx  set vlan  2103   0           0         
8         macaddr    equals     6C:88:14:xx:xx:xx  set vlan  2103   0           0         
9         macaddr    equals     A4:4E:31:xx:xx:xx  set vlan  2103   0           0         
10        macaddr    equals     50:1A:C5:xx:xx:xx  set vlan  2103   0           0         
11        macaddr    equals     00:19:D2:xx:xx:xx  set vlan  2103   0           0         

as told before, when trying to add a 12th entry, entry 11 is overwritten,

 

any ideas ?

 

btw. before you ask yourself "why does he do this" -> all clients use the same SSID , if a mac-adress is not listed in the user-rules list and connects to the SSID it gets an IP-adress of the default VLAN assigned to the VAP , only when having specific mac-adress the client is put into this 2nd vlan . 

 

perhaps i have to solve it another way or ? 

 

thanks

ben

 

Guru Elite
Posts: 8,335
Registered: ‎09-08-2010

Re: User-derived VLAN assignment based on MAC-adress / max. entries 11, priority list ?

This is really a function of a RADIUS server / policy engine. The UDR was
designed to allow for some quick overrides for devices that share the same
attributes (DHCP fingerprints, MAC OUI, etc).

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Regular Contributor I
Posts: 190
Registered: ‎04-27-2009

Re: User-derived VLAN assignment based on MAC-adress / max. entries 11, priority list ?

Thanks, that makes sense so it's not intended to put a lot of entries into that kind of list. 

 

perhaps it works with server-group and then i make internal_db entries with that macadresses and server-rules, that should work or better said i remember we had this once for putting mac-adresses into different vlan's in our trainings-lab area.

 

i will give it a shot, thanks for the godspeed reply! ;-)

Regular Contributor I
Posts: 190
Registered: ‎04-27-2009

Re: User-derived VLAN assignment based on MAC-adress / max. entries 11, priority list ?

Silly question : if i try it via server-groups, is it working if i only add my wished mac-adresses as user-entries in the userDB or do i have to add "all" macadress to seperate e.g. 20 mac-adresses into that VLAN and other 15 mac-adresses into another vlan ? 

 

i think i have to clear the VAP vlan field or ? 

 

or is it ok to keep a default vlan on the VAP added and only when hitting a server-rule the mac-adress is put into another vlan ? im not sure at all... lets test. ;-)

 

 

MVP
Posts: 952
Registered: ‎04-13-2009

Re: User-derived VLAN assignment based on MAC-adress / max. entries 11, priority list ?

I take it you're not doing 802.1x authentication?

 

Cheers

James

Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216
-----------Mobility First Expert #11----------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
Regular Contributor I
Posts: 190
Registered: ‎04-27-2009

Re: User-derived VLAN assignment based on MAC-adress / max. entries 11, priority list ?

No, just a corporate SSID with WPA2-PSK , 

 

the background is just that most of the clients should fall into the VLAN defined in the VAP , and only approx 12 clients should be put into another VLAN .

 

the firewall rules are applied on central gateway firewall , regarding security it's not the best decision cause the client could change his ip adress and then another firewall policy would hit, it's just a quick separation of clients. 

 

e.g. the first clients dont have any authentication on the firewall, and the ones which should be put into another vlan via mac-adress then get authentication on the central firewall .

 

i think i tweak the whole config by add additioinal mac-auth so only allowed mac-adresses are overall able to use that kind of ssid, that tweak can be applied later on

 

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: