Wireless Access

last person joined: 21 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

What is the order of precedence for role assignment?

This thread has been viewed 1 times

  • 1.  What is the order of precedence for role assignment?

    Posted Jan 06, 2016 01:19 PM

    Aruba 3600

    6.4.2.14

     

    My guest VAP uses the internal DB with the default server group with the 'attribute -> role -> value of -> set role' rule.

     

    I'm creating a new VAP for a select group of users that will be placed in a different role and VLAN.  This role also needs to use the local DB for auth. I'd use the Guest VAP for these users, but it sets the VLAN in the VAP config for captive portal to work.  If these users use L3 auth, their VLAN won't change when their role is assigned based by the 'set role' rule in the default server group.

     

    Anyway, the issue I'm having is that if I use the internal DB for authentication, my guest users can login on this new VAP and vice versa.  I've created a new server group using the internal DB and set the following rule:

     

    attribute: user-role

    operation: equals

    operand: my-role

    type: string

    action: set role

    value: my-role

     

    The problem is that the guest role users still pick up the role because there is no explicit exclusion and they get the role from the AAA profile 802.1x Default Role.

     

    Also, my-role can log in via guest - which gives them the correct role and policy, but they'll be on the wrong VLAN.

     

    Is there any cleaner way of handling this scenario?

     

    Note: I set the default 802.1x role to denyall and the server group rule to set the role doesn't seem to work.  It instead puts the client in denyall.



  • 2.  RE: What is the order of precedence for role assignment?

    EMPLOYEE
    Posted Jan 06, 2016 01:23 PM

    The internal database is designed for basic use. You should consider using a RADIUS server if you want to differentiate access between SSIDs.



  • 3.  RE: What is the order of precedence for role assignment?

    Posted Jan 06, 2016 01:35 PM

    I know.  If I had one, I'd probably have 1/10th the posts here.  I've been pushing for one since my first day touching this Aruba environment, but we have some sysadmin positions that need to be filled and the one guy holding down the fort now has a backlog of projects.  All server resources go through him for the time being... so I need to get creative and try to make things work with the local DB for at least the next few months.  Unless it's impossible in this case?

     

     



  • 4.  RE: What is the order of precedence for role assignment?
    Best Answer

    Posted Jan 06, 2016 02:40 PM

    Can I do something like?  Or possibly do this with captive portal?

     

    role != my-role

    set-role deny-all?

     



  • 5.  RE: What is the order of precedence for role assignment?

    Posted Jan 06, 2016 05:40 PM

    This worked in the server group -> server rules.

     

    You have to manually type 'role' because it's not in the dropdown.  And it says the rule is not validated.  But it did the job.

     

    "Aruba-User-Role" from the dropdown doesn't work.  Now other roles can associate, but they will be put in the denyall role.