Wireless Access

Reply
Regular Contributor I

ArubaOS 6.1.3.1 User derivation rule not working

We have a User Derivation Rule to assign a specific role to certain clients.  After we upgraded to 6.1.3.1 the Derivation Rule is not working.  The users are being placed in the initial role "logon" instead.  I have verified that the mac of the devices are present in the Derivation rule with the correct role.

 

On code 3.3.3.2 it was working properly.

 

Has anyone encountered this, is it a bug?

Guru Elite

Re: ArubaOS 6.1.3.1 User derivation rule not working

Turn on user debugging to see why that user ends up in that role.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Regular Contributor I

Re: ArubaOS 6.1.3.1 User derivation rule not working

I'll set up a test environment tomorrow.  

Regular Contributor I

Re: ArubaOS 6.1.3.1 User derivation rule not working

After many many tests, with the help of our Aruba onsite support, we were finally able to figure out the issue.  I had called TAC about this and they were not able to figure it out.

 

Turns out that on the new code, at least 6.1.3.1, they have set a limit of to how many lines a derivation rule can have.  Don't know if that's by design or a flaw since it's not mentioned in the Release Notes that I can see.

 

So, if you're having this issue, check to see how many lines your derivation rule/s have.  The max that you can have is 127.  

Aruba Employee

Re: ArubaOS 6.1.3.1 User derivation rule not working

 

 

These symptoms are likely covered under issues filed against S3500 and ArubaOS Mobility controller products.

 

There are built-in limits to the total of derivation rules, so the number of rules that will work is dependent on the complete

controller configuration.

 

The issue was introduced in 6.1.3.0 software.

 

Currently, engineering are working on long term fixes for the issue.

 

In the meantime, there are  a number of possible "workarounds" which may in fact, be advantageous in larger networks.

 

1) MAC based authentication using full, or OUI prefix, which can be used to derive.

    -  scripts are available to assist transition from the UDR configuration to the internal authentication database authentication

 

2) Use MAC OUI prefix UDR, thereby reducing the number of UDR rules required.

3) External authentication, using server derivation rules

 

Aruba Networks Technical Support can provide further details regarding the issue, assisting in positively identifying if this is indeed the cause of symptoms observed,  or potential workarounds.

 

 

 

 

Shawn Adams
Aruba Networks Customer Advocacy
Regular Contributor I

Re: ArubaOS 6.1.3.1 User derivation rule not working

There was nothing in the release notes in regards the issue.  TAC didn't know what the issue was either.  By testing we ended up figuring what the issue was.  We resolved the issue by just using the first 6 characters of the MAC.

Occasional Contributor II

Re: ArubaOS 6.1.3.1 User derivation rule not working

is this issue ever been resolved?

 

Which code we should go to get more entries than 127?

Occasional Contributor II

Re: ArubaOS 6.1.3.1 User derivation rule not working

my controller is running on 6.1.3.4 and we are having same issue.

 

we are couldn't able to add more than 127 entries. which code we can upgrade to resolove this issue

 

Thanks in advance for any help on this matter.

Re: ArubaOS 6.1.3.1 User derivation rule not working

best bet on an answer would be TAC, they can check the bug database and advise you.

Occasional Contributor II

Re: ArubaOS 6.1.3.1 User derivation rule not working

Just An update...

 

Acoording to tac its limited to 127 entries and it will be increase to 256 entries with newer code.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: