09-23-2016 03:36 AM - edited 09-23-2016 03:57 AM
Hi All. I have a VAP for an SSID (test_ssid) which has a User Derivation rule within the AAA profile which says:
set role condition essid equals test_ssid and go to a role that we've setup.
However, when a user connects to this SSID, they are still getting the logon role - and not matching this rule and subsequently getting the role correct. What is particularly odd, is that under User Rules, it is showing a Hit, but the clients aren't following the role assigned.
I've checked it against VAPs/AAA/User Derivation on the same site and it is exactly the same.
This is a bridged VAP also.
Any ideas or suggestions?
09-23-2016 04:10 AM
i've been doing some user debugging - this only happens on the bridged. Tunnel is fine. From what I can see in the logs:
Sep 23 12:09:33 :522260: <DBUG> |authmgr| "VDR - Cur VLAN updated cc:20:e8:ce:70:3b mob 0 inform 1 remote 1 wired 0 defvlan 254 exportedvlan 0 curvlan 254.
Sep 23 12:09:33 :522096: <DBUG> |authmgr| cc:20:e8:ce:70:3b: Sending STM new Role ACL : 2, and Vlan info: 254, action : 10, AP IP: 192.168.0.170, flags : 0 idle-timeout: 300
Sep 23 12:09:33 :522242: <DBUG> |authmgr| MAC=cc:20:e8:ce:70:3b Station Created Update MMS: BSSID=24:de:c6:51:a2:9a ESSID=Fareham_Test254_Aruba VLAN=254 AP-name=Fareham
Sep 23 12:09:33 :522301: <DBUG> |authmgr| Auth GSM : USER publish for uuid 0xf946df20db20000e mac cc:20:e8:ce:70:3b name role logon devtype wired 0 authtype 0 subtype 0 encrypt-type 9 conn-port 0 fwd-mode 1
Sep 23 12:09:40 :522145: <DBUG> |authmgr| handle_rap_bridge_user(): Entered. MAC:cc:20:e8:ce:70:3b, IP:172.25.254.170, apName:Fareham action:2 acl:logon.
Sep 23 12:09:40 :522287: <DBUG> |authmgr| Auth GSM : MAC_USER publish for mac cc:20:e8:ce:70:3b bssid 24:de:c6:51:a2:9a vlan 254 type 1 data-ready 0
Sep 23 12:09:40 :522157: <INFO> |authmgr| Update wireless bridge-mode user: username= MAC=cc:20:e8:ce:70:3b IP=172.25.254.170 AP=Fareham aclnum=2.
Sep 23 12:09:40 :522063: <DBUG> |authmgr| AP-Bridge-Wireless User: mac:cc:20:e8:ce:70:3b dot1x:0, keytype:9(static-wpa2-aes)
Sep 23 12:09:40 :522158: <DBUG> |authmgr| Role Derivation for user N/A-cc:20:e8:ce:70:3b- N/A Set AAA profile defaults.
Sep 23 12:09:40 :522158: <DBUG> |authmgr| Role Derivation for user N/A-cc:20:e8:ce:70:3b- logon Unknown role event.
It's defaulting to logon. If i change the initial role.... it works fine. Just not following this Rule.