Wireless Access

Reply
Contributor I
Posts: 75
Registered: ‎03-21-2012

Guest Provisioning Default Role

We give front desk users guest provisioning access which puts users into the default "guest" role, is there a way to default what role they go into? We are trying to steer guest accounts into a role that is different then the default (i.e. SSIDName-Role vs guest)

 

I know this is possible from within the controller guest provisioning but we don't want to give users that much access.

Aruba
Posts: 1,644
Registered: ‎04-13-2009

Re: Guest Provisioning Default Role

[ Edited ]

Edited to reflect post-auth role instead of initial role in #2

 

The role assignment for guests within the controller can be done in a couple different ways:

 

1) Create a guest account and assign a role.   By default the captive portal profiles use "default" server group for authentication.  This server group has a server derived rule that assigns the user-role to be the value or role within the internal DB.

 

2) Set a default guest role for the captive portal profile for your guests (SSIDName-Role in your case).   Make a new server group (copy of default), but remove this server derived rule.  Assign this server group to the Captive Portal profile.

 

  • In option 1, the server derived rule will override the initial role for the AAA profile, thus they are assigned "guest".
  • In option 2, there is no server derived rule, so the default role of the Captive Portal profile is assigned, thus they are assigned "SSIDName-Role"
------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Contributor I
Posts: 75
Registered: ‎03-21-2012

Re: Guest Provisioning Default Role

Option 1 is already doable 

Option 2 is I guess what we are trying to do but already have an initial role on the AAA profile set. Not sure about the server derived rule since the default doesnt have any set from what I can tell.

 

This is basically our config with names changed up a bit but basically we want initial role "SSID-Guest-Logon-Role" and authenticated role "SSID-Guest-Role". Anything the guest-manager puts in they are currently being put int to "guest" role by default.

 

wlan virtual-ap "VAP-SSID-Guest"
aaa-profile "AAA-SSID-Guest"
ssid-profile "SSID-Guest"
vlan xxx
band-steering
broadcast-filter all

!

aaa profile "AAA-SSID-Guest"
initial-role “SSID-Guest-Logon-Role"

!
aaa authentication captive-portal "CP-SSID-Guest"
default-role “SSID-Guest-Role"
server-group "internal"
redirect-pause 2
protocol-http
welcome-page "http://www.pickles.com"
apple-cna-bypass

!

aaa server-group "default"
auth-server Internal

Aruba
Posts: 1,644
Registered: ‎04-13-2009

Re: Guest Provisioning Default Role

[ Edited ]

flava wrote:

aaa server-group "default"
auth-server Internal


Your config looks good so long as the CP-SSID-Guest captive portal profile is assigned to the SSID-Guest-Logon-Role role.  However, the above output shows that the default server group does indeed have the server rule set.  It is a default setting, so it does not show up in the CLI.  If you had removed it, you'd see:

 

no set role condition role value-of

 

To confirm this, run one of the following commands.

When the user is logged in:

  • show user ip <ip-of-user>
  • Looks for the User Role deriviation field to confirm how the user was assigned the role

 

show aaa server-group default

  • Verify Role/VLAN deriviation rule is set.

(aruba-7010) #show aaa server-group default

Fail Through:No
Load Balance:No

Auth Servers
------------
Name      Server-Type  trim-FQDN  Match-Type  Match-Op  Match-Str
----      -----------  ---------  ----------  --------  ---------
Internal  Internal     No                              

Role/VLAN derivation rules
---------------------------
Priority  Attribute  Operation  Operand  Type    Action    Value  Validated
--------  ---------  ---------  -------  ----    ------    -----  ---------
1         role       value-of            String  set role         No

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Search Airheads
Showing results for 
Search instead for 
Did you mean: