Hi Abi,
Thanks for the quick reply!
Firstly...
You said that you are using DHCP-Option to assign a VLAN not a role.
Typo. I mean't a Mobile-Role which has an assigned vlan. :)
Creating another SSID would be easy yes, but the problem is since the users are using the same user/pass as the Corporate SSID they can login to the Corporate SSID just as well and then they could get full access to the lan. To block that, I'd need to use User-derivation-rules that do DHCP fingerprinting... so I thought I just use that to assign them a Role that gets them on a restricted vlan...
You did mention that user rules hold higher preference than server derivation rules... so my interpretation is as follows:-
1) 1st floor User connects to Corporate SSID with PEAP (enters IDentity/Pass) (ex. Android phone)
|
2) Radius authenticates user and sends back filter-id saying "1st_floor_user"
|
3) Aruba controller receives the Filter-ID and assigns the user to 1st_floor_user role.
|
4) Smartphone does a DHCP request
|
5) Controller identifies that it is a smartphone and reassigns role to "Mobile-Role"
Is that the correct flow? I'm just guessing since Authentication in PEAP happens BEFORE the DHCP request from the client right? Hence the Server-derivation rule should take effect before the User-derivation rule. (Btw, I selected the User-Rule in MAC Authentication in AAA Profile. Don't remember exactly as I don't have access to the controller right now. Maybe I can get some screenshots of the config for you on Monday.)