02-06-2013 02:26 PM
I have a list of MAC addresses I would like to "quarantine" as bad-actors using UDR on my WPA2 network. The role "quarantine" has a different set of ACLs I'd like to apply to the user (i.e. NAT, etc). This SSID/network is doing RADIUS authN to NPS using no server-derivation rules. My AAA .1x default role is "authenticated" and no matter what the UDR rules say, I can't seem to change a user from that "authenticated" role to the "quarantine" UDR role (when it matches a bad-actor MAC address). I can *however* change the VLAN successfully using UDR, but this is not a preferred design for us.
Is this how UDR works when combined with 802.1x or am I doing something wrong?
02-06-2013 07:23 PM
As clembo said, the default dot1x role with override the UDR. UDR occurs before the dot1x role is applied. Server rules are applied after.
In the server group defined in your AAA profile, you'll map the MAC addresses of the offending clients to the quarantine role.
In the GUI:
Authentication > Servers > Server Group > server_group_name
Click New under Server Rules and fill in the blanks:
Condition = macaddr
Operation = equals
operand = aa:bb:cc:dd:ee:ff
Action = set role
Value = quarantine-role
aaa server-group "server_group_name"
set role condition macaddr equals "aa:bb:cc:dd:ee:ff" set-value quarantine-role
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
02-07-2013 07:57 AM
Great information, just one last question... are there size limitations (I've seen 127 as a possible limit in 22.214.171.124) to the server-rules list in 126.96.36.199 ?
Thanks again for your help on this, it's very much appreciated.