03-06-2012 09:50 AM
I'm creating a User Derivation Rule that utilizes MAC and DHCP Fingerprinting.
I'm redirecting the DHCP Fingerprinted devices to a Blocked-Device-Role but inevitably there will be one user who will have the political power to demand that their device is allowed access.
Shouldn't I be able to create a macaddr/equals/their device's MAC Rule and nest it at the top (Priority 1) and link that to a Allow-Device-Role to give that device access to the wireless network?
What I'm seeing in my test environment is that the most restrictive Rule takes precedence regardless of its priority.
03-06-2012 10:34 AM
Remove the DHCP fingerprint rule and see if the mac address rule fires. Maybe the mac rule has the wrong syntax or wrong mac address and never fires, as a result.
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
03-06-2012 10:43 AM - edited 03-06-2012 10:46 AM
In the user derivation roles, the DHCP-option rule has a higher priority than a user rule that uses MAC address. So when you define a DHCP-option based rule it always overrides the mac-based and other types of user role derivations.
Every time user does DHCP, DHCP finger printing will kick in and change the role for user; even though the user is already provisioned.
Can you reverse the roles assigned to users based on mac-rule and that based on dhcp to ensure that it is not the most restrictive role that is always being applied.
03-19-2012 12:46 PM
sathya, I've looked around the controller to "reverse the roles assigned to users based on mac-rule and that based on dhcp to ensure that it is not the most restrictive role that is always being applied" but I must be miss-reading your suggestion.
Are you saying to create a "MAC Authentication Default Role" that allows access through it and MAC filtering and then add DHCP Fingerprinting to that Role? I don't see that option.
05-14-2012 12:16 PM
Apparently whatever is the most restrictive Rule in the User Derivation Rules takes president over all. I've created an unrestricted DHCP-Fingerprinting Rule and a restrictive MAC Rule in the same "User Rules" and no matter if the restrictive is at the top of the list (higher priority) or the bottom (lower), it overrides the less restrictive.