01-06-2016 10:19 AM - edited 01-06-2016 10:24 AM
My guest VAP uses the internal DB with the default server group with the 'attribute -> role -> value of -> set role' rule.
I'm creating a new VAP for a select group of users that will be placed in a different role and VLAN. This role also needs to use the local DB for auth. I'd use the Guest VAP for these users, but it sets the VLAN in the VAP config for captive portal to work. If these users use L3 auth, their VLAN won't change when their role is assigned based by the 'set role' rule in the default server group.
Anyway, the issue I'm having is that if I use the internal DB for authentication, my guest users can login on this new VAP and vice versa. I've created a new server group using the internal DB and set the following rule:
action: set role
The problem is that the guest role users still pick up the role because there is no explicit exclusion and they get the role from the AAA profile 802.1x Default Role.
Also, my-role can log in via guest - which gives them the correct role and policy, but they'll be on the wrong VLAN.
Is there any cleaner way of handling this scenario?
Note: I set the default 802.1x role to denyall and the server group rule to set the role doesn't seem to work. It instead puts the client in denyall.
Solved! Go to Solution.
01-06-2016 10:23 AM
01-06-2016 10:34 AM
I know. If I had one, I'd probably have 1/10th the posts here. I've been pushing for one since my first day touching this Aruba environment, but we have some sysadmin positions that need to be filled and the one guy holding down the fort now has a backlog of projects. All server resources go through him for the time being... so I need to get creative and try to make things work with the local DB for at least the next few months. Unless it's impossible in this case?
01-06-2016 02:39 PM
This worked in the server group -> server rules.
You have to manually type 'role' because it's not in the dropdown. And it says the rule is not validated. But it did the job.
"Aruba-User-Role" from the dropdown doesn't work. Now other roles can associate, but they will be put in the denyall role.