Wireless Access

Reply
Occasional Contributor II
Posts: 44
Registered: ‎10-06-2009

Default User Role is overriding desired role when using Machine Authentication

Hi All,

 

I recently enabled machine authentication enforcement to keep guest users off of our corporate SSID. Machines get dropped into an appropriate role when they boot, and switch over to a user role when someone logs in... If users log in to a device that doesn't exist in AD they get dropped into a 3rd role.

 

The problem I'm having is with devices logging in that don't exist in AD. These devices are getting placed into the role defined as the "Machine Authentication: Default User Role" even though I've defined conditions under the radius server group that should place them into a specific role.

 

Here's part of the debug log

 

Jan 5 11:17:26 authmgr MAC=00:12:f0:13:b8:e7 IP=0.0.0.0 Authentication result=Authentication Successful method=802.1x server=TestIAS
Jan 5 11:17:26 authmgr MAC=00:12:f0:13:b8:e7 IP=0.0.0.0 Derived role 'COWS' from server rules: server-group=sg-auth-dot1x, authentication=8021x-User
Jan 5 11:17:26 authmgr MAC=00:12:f0:13:b8:e7 def_vlan 1 derive vlan: 0 auth_type 11 auth_subtype 11
Jan 5 11:17:26 authmgr MAC=00:12:f0:13:b8:e7 Station authenticated: method=8021x-User, role=BYOD, VLAN=1/1/0
Jan 5 11:17:26 authmgr MAC=00:12:f0:13:b8:e7 def_vlan 1 derive vlan: 0 auth_type 11 auth_subtype 11
Jan 5 11:17:26 authmgr MAC=00:12:f0:13:b8:e7 Station authenticated: method=8021x-User, role=BYOD, VLAN=1/1/0

 

If I'm reading this right, the machine authenticates, gets the roll of COWS (which is what I want), then is switched into BYOD.

 

What might be going on here?

 

Thanks

Guru Elite
Posts: 21,252
Registered: ‎03-29-2007

Re: Default User Role is overriding desired role when using Machine Authentication

Users that  have ONLY passed user authentication ONLY get the Enforce Machine Authentication: user role.  No further role derivation is performed.  Role derivation is ONLY performed for devices that passed both User and Machine Authentication.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: