Wireless Access

Contributor I

Role derivation priority with 802.1X, Machine Auth and VSA


I have configured Server Role Derivation for 802.1X with enfroced machine authentication. I works fine for computers and users that are members of Microsoft domain, with role mapping based on returned by NPS standard attribute (not Aruba VSA).


But I have just a few MAC OSX laptops, that (from many reasons) are not members of domain (no machine account, only user&pass), and I would like to be able, also to map them on different role, after successful 802.1X authentiaction based on user & pass only (machine auth fail).


Will returning Aruba VSA attribute (Aruba-User-Role) take precedense and assign returned in VSA attribute role to a user on a MAC OSX that passed only user auth and failed machine auth, with Enforce Machine Authentication option enabled in a profile?

Guru Elite

Re: Role derivation priority with 802.1X, Machine Auth and VSA

When "Enforce machine authentication"is enabled in the controller, users will only get a server defined rule when both user and machine authentication has been passed. Users who only pass user or only pass machine only get the corresponding machine authentication or user authentication role configured in the Enforce machine authentication configuration; all other derivation or VSA is ignored. It is preferred to do machine enforcement with an external policy server like ClearPass, because the built in enforce machine authentication feature is less flexible and was built when there was not any external policy server that could do anything like that.

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: