Wireless Access

Reply
Regular Contributor I

User Derivation Rules Priority

I'm creating a User Derivation Rule that utilizes MAC and DHCP Fingerprinting.

 

I'm redirecting the DHCP Fingerprinted devices to a Blocked-Device-Role but inevitably there will be one user who will have the political power to demand that their device is allowed access.

 

Shouldn't I be able to create a macaddr/equals/their device's MAC Rule and nest it at the top (Priority 1) and link that to a Allow-Device-Role to give that device access to the wireless network?

 

What I'm seeing in my test environment is that the most restrictive Rule takes precedence regardless of its priority.

Guru Elite

Re: User Derivation Rules Priority

Remove the DHCP fingerprint rule and see if the mac address rule fires.  Maybe the mac rule has the wrong syntax or wrong mac address and never fires, as a result.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Aruba Employee

Re: User Derivation Rules Priority

In the user derivation roles, the DHCP-option rule has a higher priority than a user rule that uses MAC address. So when you define a DHCP-option based rule it always overrides the mac-based and other types of user role derivations. 

Every time user does DHCP, DHCP finger printing will kick in and change the role for user; even though the user is already provisioned.

 

Can you reverse the roles assigned to users based on mac-rule and that based on dhcp to ensure that it is not the most restrictive role that is always being applied.

Regular Contributor I

Re: User Derivation Rules Priority

Thanks, I'll give it a shot and get back with the results.

Regular Contributor I

Re: User Derivation Rules Priority

sathya, I've looked around the controller to "reverse the roles assigned to users based on mac-rule and that based on dhcp to ensure that it is not the most restrictive role that is always being applied" but I must be miss-reading your suggestion.

 

Are you saying to create a "MAC Authentication Default Role" that allows access through it and MAC filtering and then add DHCP Fingerprinting to that Role? I don't see that option.

Regular Contributor I

Re: User Derivation Rules Priority

Yes Colin, the MAC filter did work.

Regular Contributor I

Re: User Derivation Rules Priority

 

Apparently whatever is the most restrictive Rule in the User Derivation Rules takes president over all. I've created an unrestricted DHCP-Fingerprinting Rule and a restrictive MAC Rule in the same "User Rules" and no matter if the restrictive is at the top of the list (higher priority) or the bottom (lower), it overrides the less restrictive.

 

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: