Wireless Access

Reply
mom
Contributor I

block server side role derivation / ROLE_DERIVATION_DOT1X_VSA

Hello!

 

I've got running a CP as radius server in my LAB.
Clearpass offers the controller a value for role derivation.

Now, I want to use CP as radius server for inernal and RAP Users.
The RAP asers should get a role with split tunneling ACL.

BUT: I do not want to use a second derived role for RAP users from the Radius. For RAP Userse the 802.1X Authentication Default Role should be used.
Internal users would associate with both AP groups/VAP's.

To achieve this, I created a second radius server group without a server rule.
I thought, in this case the radius value would be ignored.


Now, if I deassociate my test user from the internal SSID where the radius group with server rule is active and associate with the RAP SSID, the user also gets the derived role from the radius server.
Even if I "execute aaa user delete all" before.

 

Why does this happen?
Is the role for the user cashed by the controller?
Or does the ROLE_DERIVATION_DOT1X_VSA override the default role even if there is no role derivation rule set under the radius server group profile?

 

Is there a way to block role derivation for specific AAA profiles?

Thank you for your advice!

 

Best regards
Matthias
Guru Elite

Re: block server side role derivation / ROLE_DERIVATION_DOT1X_VSA

Radius VSA overrides any other derivation:

 

What you can do, is within ClearPass you can write an enforcement policy that checks the ap-group of the incoming request and return the split-tunneled role, instead...

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

mom
Contributor I

Re: block server side role derivation / ROLE_DERIVATION_DOT1X_VSA

Ok, no way to block derivation?

Best regards
Matthias
Guru Elite

Re: block server side role derivation / ROLE_DERIVATION_DOT1X_VSA

Unfortunately, there is no way to block a VSA from setting a role.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: