Wireless Access

Reply
Occasional Contributor I
Posts: 9
Registered: ‎04-04-2014

Question about role assignment for radius authenticated users.

I have successfully setup radius authentication for my AD users. However, users are being assigned a guest role instead of the logon role that is set in the AAA profile for the radius authentication. I cannot determine what is superseding the role.

Guru Elite
Posts: 20,811
Registered: ‎03-29-2007

Re: Question about role assignment for radius authenticated users.

User "show user-table ip <ip address of user>" to see how the user got that role.  In your AAA profile, the default 802.1x role should determine your user's role.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 9
Registered: ‎04-04-2014

Re: Question about role assignment for radius authenticated users.

Ok i see the following in the reply

 

Role Derivation: default for authentication type 802.1x

 

then 

 

Role assigment - L3 assigned role: n/a, VPN role: n/a, Dot1x cached role: n/a
Current Role name: guest, role-how: 1, L2-role: guest, L3-role: guest

 

My AAA profile is set for Logon. I have looked at the 802.1x seetings but do not see where to assign the role. I am using mschap for 802.1x.

 

 

Guru Elite
Posts: 20,811
Registered: ‎03-29-2007

Re: Question about role assignment for radius authenticated users.

In the AAA profile, what roles is the default 802.1x role set to?


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 9
Registered: ‎04-04-2014

Re: Question about role assignment for radius authenticated users.

default-dot1x is set to logon.

Guru Elite
Posts: 20,811
Registered: ‎03-29-2007

Re: Question about role assignment for radius authenticated users.

Type show "user table verbose" and it will say in one column which AAA profile is being used (expand your terminal to full size to see). This is just to make sire you are referring to the correct 802.1x profile.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 9
Registered: ‎04-04-2014

Re: Question about role assignment for radius authenticated users.

In the auth column I see 802.1x and the Profile column shows the radius profile i created, but I have verified that logon is the role i have set for that AAA profile. However, the user roles are still guest.

 

Guru Elite
Posts: 20,811
Registered: ‎03-29-2007

Re: Question about role assignment for radius authenticated users.

Okay.  Do you have the policy enforcement firewall license installed?



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 9
Registered: ‎04-04-2014

Re: Question about role assignment for radius authenticated users.

We purchased and installed 1 PEF license before we realized we needed one for every ap. I removed the initial license.

 

Guru Elite
Posts: 20,811
Registered: ‎03-29-2007

Re: Question about role assignment for radius authenticated users.

If you do not have the PEF license every authenticated user will end up in the guest role.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: