Wireless Access

Hi everyone:

I'm wondering how does this rule functionU47@G.jpg" align="center" alt="A)T3@EV(W6~PG}3WC{U47@G.jpg" border="0" src="https://higherlogicdownload.s3.amazonaws.com/HPE/MigratedInlineFiles/43fb23048d7547ebac06af76fca6c47f_ff842ca5ece44369b5a8368581fe1b2a">

If my AAA profile have a role A,and my Internal database determines the User Z's role is B.

And my aaa profile use this interna database.

Now it pretends this function,if i add this rule and my database has the user Z whose rule is B,if i passed the auth it give me the role B,not the profile's role A

Here is my question,what does this rule mean?

And the attribute represtents for what?

Cause I didn't find any option when i add this attribute,it's not the default option? I add this handly.

That rule means to give a user whatever role he has in the internal database, instead of the default role in the AAA profile. If you remove that rule, he will have whatever the default role is for the method in the AAA profile.

But the Role attribute is not in the default attribute.

It can't be choosed.I added it handly.Can it work?

So if I add the other attribute which is not in the default attribute,it can also work?

What kind of authentication are you using?

Portal and MAC.

Client should pass the mac auth first,if he couldn't.

He have another chance to pass the auth by portal.

In my mac auth,I use the server rule to let my client pass the auth and use its database's role.

And I find the role attribute is not in the default attribute.I added it handly and it can work,this the most confused me.

Okay.  Here is how it should go:

 

In the AAA profile, if there is a mac authentication profile and a mac authentication server group, the device will attempt mac authentication (If either one is missing, mac authentication will not be performed).  For the device to pass mac authentication, the mac address must be in the local database in the proper format.

 

If the device passes mac authentication, he will be assigned the mac authentication default role, OR he will be assigned the role that has mac address is assigned to, if the "value-of" rule is in the mac authentication server group.

 

If the device does NOT pass mac authentication, it will remain in the "Initial Role" of the AAA profile.  If the initial role has the Captive Portal ACL, then whatever Captive Portal Authentication Profile is assigned to the Initial Role will be used.  The Captive Portal Authentication profile has a server group assigned, and that will determine what username and password database (server group) the user's username and password will be checked against.  If the user logs in successfully, he will be assigned the role in the internal database because of that "value-of" rule you have in the server group.