Wireless Access

New Contributor

Server Derivation

Dear All,



              New to Aruba, coming from Cisco...i have 1 SSID for example, WIFI and i want the Corporate employess and guests to connect to this SSID, whatever authentication happens, it will be sent to Clearpass box..and based on user credential the Clearpass will put the user in the right vlan.



            And based on that Aruba controller will do the routing. I tried to look for help on the internet, but i was not content....Is there any document that walks you step by step on how to do it or if someone can explains it to me.



Appreciate your help and support.






Guru Elite

Re: Server Derivation

Your guest users have corporate credentials?

Sent from Nine<>

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
New Contributor

Re: Server Derivation

Thanks for replying, the guests will have a user name and password different than employees.


and baswed on that the Clearpass will put user in right vlan.

Valued Contributor II

Re: Server Derivation

Hi friend,


I can help you on this,


Here, for any authenticated user a role should be assigned and the user traffic will be controlled according to the policy( Firewall policy) mapped to that role.


In Aruba we can assign a role in 2 different ways,


1. Through AAA profile : dot1x default role

2. Through server ( Clearpass or any other server) generally called SDR or VSA


Priority will be given to SDR/VSA, if SDR is not configured, user will be mapped to the role configured in AAA profile ( dot1x Authentication default role)




If SDR is configure, authenticated user will be assigned a role returned by the server.

here server will return the role name ( can return VLAN also) and we should ensure that the role is defined in the controller ( to create  customised roles controller should have PEFNG license installed)


we can configre SDR as shown under :



Here, as per the matching condition user will be assigned to a role ( or a VLAN)


How to create a roles and policies in Aruba controller :



Ways of assigning Role to an Authenticated user :




What is the flow of role assignment :



How to configure SDR ( Server derived Role ) :




Inorder to achieve the above, we should have configured the server properly and which is very similar to Cisco :)


Hope you got some Idea,


Please feelfree to come back if any further help needed on this.




Venu Puduchery,
[Is my post helped you ? Give Kudos :) ]
Guru Elite

Re: Server Derivation

If you are using ClearPass, there is no need to use Server-derived rules in the controller.

Are you already doing 802.1X with ClearPass right now? Can you post some screen shots of your service?

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Super Contributor II

Re: Server Derivation

Welcome over to the bright side :)


How do you differentiate your guest users from your corporate users? Are the corporate users in their own source (Active directory for example) and the guest users in Clearpass guest repository?


Or are guests and corporate users in the same authentication source and you differentiate on for example group membership?


Depending on this you want to define role mapping policies and enforcement profiles that classifies who´s a guest and who´s a corporate user and then enforce the right role/vlan to be returned to the controller.

Christoffer Jacobsson | Aranya AB
Aruba Partner Ambassador
New Contributor

Re: Server Derivation

Thanks so much for you and everyone else who was trying to help. i followed the steps and its working now.

Search Airheads
Showing results for 
Search instead for 
Did you mean: