Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

derivation-rules as alternative to blacklist

This thread has been viewed 1 times

  • 1.  derivation-rules as alternative to blacklist

    Posted Apr 21, 2017 05:18 AM

    Hi,

     

    we have a setup with multiple ssid's on the same controller.

    One of the ssid's (simple wpa2 authentication) has devices which do not belong there (the wpa2 key has been 'communicated').

     

    Blacklisting a mac completely blocks access to every ssid.  I basically want to prevent those devices from accessing that specific ssid (let's call it my-mgmt for now)

     

    I believe this can be done by using a derivation-rule.  So by tying an aaa profile containing something like :

     

     

    aaa profile "my-mgmt-aaa_prof"
    user-derivation-rules "my-mgmt-rule"
    authentication-dot1x "dot1x_prof-cno90"
    enforce-dhcp

     

    and :

     

    aaa derivation-rules user "my-mgmt-rule"
    set role condition macaddr does-not-equal 8c:70:5a:10:89:24 set-value "authenticated"
    set role condition macaddr does-not-equal 64:20:0c:78:de:86 set-value "authenticated"

     

    So i basically allow every device to authenticate, except those specific mac's.

     

    Does this makes sense?



  • 2.  RE: derivation-rules as alternative to blacklist
    Best Answer

    EMPLOYEE
    Posted Apr 21, 2017 06:42 AM

    It definitely works, but adding, deleting and searching for mac addresses, or even remembering why they are there can become a problem at scale...



  • 3.  RE: derivation-rules as alternative to blacklist

    Posted Apr 21, 2017 07:15 AM

    It's only a short-time solution for a limited amount of devices (around 50).