Wireless Access

Reply
Occasional Contributor II

802.1x + User Derivation role change

Hey guys,

 

I have a list of MAC addresses I would like to "quarantine" as bad-actors using UDR on my WPA2 network.  The role "quarantine" has a different set of ACLs I'd like to apply to the user (i.e. NAT, etc).  This SSID/network is doing RADIUS authN to NPS using no server-derivation rules.  My AAA .1x default role is "authenticated" and no matter what the UDR rules say, I can't seem to change a user from that "authenticated" role to the "quarantine" UDR role (when it matches a bad-actor MAC address).  I can *however* change the VLAN successfully using UDR, but this is not a preferred design for us.  

 

Is this how UDR works when combined with 802.1x or am I doing something wrong?

 

Thanks

Eric

Aruba

Re: 802.1x + User Derivation role change

The default dot1X role (or server rules) will overwrite the UDR.      

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Re: 802.1x + User Derivation role change

As clembo said, the default dot1x role with override the UDR.  UDR occurs before the dot1x role is applied. Server rules are applied after.

 

In the server group defined in your AAA profile, you'll map the MAC addresses of the offending clients to the quarantine role.

 

In the GUI:

 

Authentication > Servers > Server Group > server_group_name

Click New under Server Rules and fill in the blanks:

Condition = macaddr

Operation = equals

operand = aa:bb:cc:dd:ee:ff

Action = set role

Value = quarantine-role

 

CLI:

 

aaa server-group "server_group_name"

set role condition macaddr equals "aa:bb:cc:dd:ee:ff" set-value quarantine-role

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Occasional Contributor II

Re: 802.1x + User Derivation role change

Great information, just one last question... are there size limitations (I've seen 127 as a possible limit in 6.1.3.1) to the server-rules list in 6.1.3.4 ?

 

Thanks again for your help on this, it's very much appreciated.

Eric

New Contributor

Re: 802.1x + User Derivation role change

Thank you for this great post. Just what I needed.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: