Wireless Access

Hey guys,

I have a list of MAC addresses I would like to "quarantine" as bad-actors using UDR on my WPA2 network.  The role "quarantine" has a different set of ACLs I'd like to apply to the user (i.e. NAT, etc).  This SSID/network is doing RADIUS authN to NPS using no server-derivation rules.  My AAA .1x default role is "authenticated" and no matter what the UDR rules say, I can't seem to change a user from that "authenticated" role to the "quarantine" UDR role (when it matches a bad-actor MAC address).  I can *however* change the VLAN successfully using UDR, but this is not a preferred design for us.  

Is this how UDR works when combined with 802.1x or am I doing something wrong?

Thanks

Eric

The default dot1X role (or server rules) will overwrite the UDR.      

As clembo said, the default dot1x role with override the UDR.  UDR occurs before the dot1x role is applied. Server rules are applied after.

In the server group defined in your AAA profile, you'll map the MAC addresses of the offending clients to the quarantine role.

In the GUI:

Authentication > Servers > Server Group > server_group_name

Click New under Server Rules and fill in the blanks:

Condition = macaddr

Operation = equals

operand = aa:bb:cc:dd:ee:ff

Action = set role

Value = quarantine-role

CLI:

aaa server-group "server_group_name"

set role condition macaddr equals "aa:bb:cc:dd:ee:ff" set-value quarantine-role

Great information, just one last question... are there size limitations (I've seen 127 as a possible limit in 6.1.3.1) to the server-rules list in 6.1.3.4 ?

Thanks again for your help on this, it's very much appreciated.

Eric

Thank you for this great post. Just what I needed.