Wireless Access

Reply
Frequent Contributor I
Posts: 91
Registered: ‎08-10-2015

What is the order of precedence for role assignment?

[ Edited ]

Aruba 3600

6.4.2.14

 

My guest VAP uses the internal DB with the default server group with the 'attribute -> role -> value of -> set role' rule.

 

I'm creating a new VAP for a select group of users that will be placed in a different role and VLAN.  This role also needs to use the local DB for auth. I'd use the Guest VAP for these users, but it sets the VLAN in the VAP config for captive portal to work.  If these users use L3 auth, their VLAN won't change when their role is assigned based by the 'set role' rule in the default server group.

 

Anyway, the issue I'm having is that if I use the internal DB for authentication, my guest users can login on this new VAP and vice versa.  I've created a new server group using the internal DB and set the following rule:

 

attribute: user-role

operation: equals

operand: my-role

type: string

action: set role

value: my-role

 

The problem is that the guest role users still pick up the role because there is no explicit exclusion and they get the role from the AAA profile 802.1x Default Role.

 

Also, my-role can log in via guest - which gives them the correct role and policy, but they'll be on the wrong VLAN.

 

Is there any cleaner way of handling this scenario?

 

Note: I set the default 802.1x role to denyall and the server group rule to set the role doesn't seem to work.  It instead puts the client in denyall.

Guru Elite
Posts: 8,637
Registered: ‎09-08-2010

Re: What is the order of precedence for role assignment?

The internal database is designed for basic use. You should consider using a RADIUS server if you want to differentiate access between SSIDs.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I
Posts: 91
Registered: ‎08-10-2015

Re: What is the order of precedence for role assignment?

I know.  If I had one, I'd probably have 1/10th the posts here.  I've been pushing for one since my first day touching this Aruba environment, but we have some sysadmin positions that need to be filled and the one guy holding down the fort now has a backlog of projects.  All server resources go through him for the time being... so I need to get creative and try to make things work with the local DB for at least the next few months.  Unless it's impossible in this case?

 

 

Frequent Contributor I
Posts: 91
Registered: ‎08-10-2015

Re: What is the order of precedence for role assignment?

Can I do something like?  Or possibly do this with captive portal?

 

role != my-role

set-role deny-all?

 

Frequent Contributor I
Posts: 91
Registered: ‎08-10-2015

Re: What is the order of precedence for role assignment?

This worked in the server group -> server rules.

 

You have to manually type 'role' because it's not in the dropdown.  And it says the rule is not validated.  But it did the job.

 

"Aruba-User-Role" from the dropdown doesn't work.  Now other roles can associate, but they will be put in the denyall role.

Search Airheads
Showing results for 
Search instead for 
Did you mean: