Wireless Access

Reply
Super Contributor II
Posts: 354
Registered: ‎09-26-2012

VLAN / Role Assignment after Authentication

Can we assign specific VLAN to user's based on SSID, Location, Cleint MAC etc if user are authenticated by MAC based authentication or Captive Portal Authentication with internal server?

 

 "Before client authentication, the VLAN can be derived from rules based on client attributes (SSID, BSSID, client MAC, location, and encryption type). A rule that derives a specific VLAN takes precedence over a rule that derives a user role that may have a VLAN configured for it"

 

What if we want to assign specific role to the user since user is authenticated based on MAC address or Captive Portal Internal Servers??

Thanks & Regards
Syed Murad Ali
ACMP ACMA CCNA
Frequent Contributor II
Posts: 113
Registered: ‎11-27-2012

Re: VLAN / Role Assignment after Authentication

If you want to derive vlan or role before authentication, you use the User derivation rules. These rules can use the following for deriving vlan or role:

  • BSSID
  • ESSID
  • Location
  • User MAC
  • Encryption-type
  • DHCP opt 77

If you wish to derive with the authentication, you should use the server derivation rules.

There are a ton of conditions to test against, including MAC address or for example attributes returned a radius serverfrom during the authentication process.

-----------------------------------
-ACMX #352-
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Super Contributor II
Posts: 354
Registered: ‎09-26-2012

Re: VLAN / Role Assignment after Authentication

Thanks for your response,

Please note we don't have any external server available. How to configure server rules? please verify
Thanks & Regards
Syed Murad Ali
ACMP ACMA CCNA
MVP
Posts: 562
Registered: ‎11-28-2011

Re: VLAN / Role Assignment after Authentication

[ Edited ]
If you want to specify a vlan, you'll need to use mac auth, as you typically can't change then vlan after the initial auth is completed (without something like Clearpass). When you do this, you can add roles into the mac accounts on the internal db, then specify a vlan within the role itself. Then just set the server group to derivate the roles from the account details.

If you just want to specify a role, simply do the same thing, but omit the vlan number in the role.
Kudos appreciated, but I'm not hunting! (ACMX 104)
Super Contributor II
Posts: 354
Registered: ‎09-26-2012

Re: VLAN / Role Assignment after Authentication

I'm sorry but i don't understand you, my english isn't very good, my bad..

Can you please provide me screenshots or some CLI configuration sample to understand the concept..

Thank you so much for your support...
Thanks & Regards
Syed Murad Ali
ACMP ACMA CCNA
MVP
Posts: 4,238
Registered: ‎07-20-2011

Re: VLAN / Role Assignment after Authentication

(controller) (config) #aaa derivation-rules user test
(controller) (user-rule) #set ?
role                    The action of the rule is to set to role
vlan                    The action of the rule is to set to vlan

(controller) (user-rule) #set role ?
condition               Condition that should be checked to derive role/VLAN

(controller) (user-rule) #set role condition ?
bssid                   BSSID of access point
dhcp-option             Enable DHCP option processing
dhcp-option-77          Enable DHCP option 77 processing
encryption-type         Encryption method used by station
essid                   ESSID of access point
location                user location (ap name)
macaddr                 MAC address of user

 

 

rule.png

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Super Contributor II
Posts: 354
Registered: ‎09-26-2012

Re: VLAN / Role Assignment after Authentication

Nice Info, Thank You
Thanks & Regards
Syed Murad Ali
ACMP ACMA CCNA
Search Airheads
Showing results for 
Search instead for 
Did you mean: