Wireless Access

Hello!

I've got running a CP as radius server in my LAB.
Clearpass offers the controller a value for role derivation.

Now, I want to use CP as radius server for inernal and RAP Users.
The RAP asers should get a role with split tunneling ACL.

BUT: I do not want to use a second derived role for RAP users from the Radius. For RAP Userse the 802.1X Authentication Default Role should be used.
Internal users would associate with both AP groups/VAP's.

To achieve this, I created a second radius server group without a server rule.
I thought, in this case the radius value would be ignored.

Now, if I deassociate my test user from the internal SSID where the radius group with server rule is active and associate with the RAP SSID, the user also gets the derived role from the radius server.
Even if I "execute aaa user delete all" before.

Why does this happen?
Is the role for the user cashed by the controller?
Or does the ROLE_DERIVATION_DOT1X_VSA override the default role even if there is no role derivation rule set under the radius server group profile?

Is there a way to block role derivation for specific AAA profiles?

Thank you for your advice!

Radius VSA overrides any other derivation:

What you can do, is within ClearPass you can write an enforcement policy that checks the ap-group of the incoming request and return the split-tunneled role, instead...

Ok, no way to block derivation?

Unfortunately, there is no way to block a VSA from setting a role.