Wireless Access

Reply
Contributor II
Posts: 66
Registered: ‎01-25-2013

derivation-rules as alternative to blacklist

Hi,

 

we have a setup with multiple ssid's on the same controller.

One of the ssid's (simple wpa2 authentication) has devices which do not belong there (the wpa2 key has been 'communicated').

 

Blacklisting a mac completely blocks access to every ssid.  I basically want to prevent those devices from accessing that specific ssid (let's call it my-mgmt for now)

 

I believe this can be done by using a derivation-rule.  So by tying an aaa profile containing something like :

 

 

aaa profile "my-mgmt-aaa_prof"
user-derivation-rules "my-mgmt-rule"
authentication-dot1x "dot1x_prof-cno90"
enforce-dhcp

 

and :

 

aaa derivation-rules user "my-mgmt-rule"
set role condition macaddr does-not-equal 8c:70:5a:10:89:24 set-value "authenticated"
set role condition macaddr does-not-equal 64:20:0c:78:de:86 set-value "authenticated"

 

So i basically allow every device to authenticate, except those specific mac's.

 

Does this makes sense?

Highlighted
Guru Elite
Posts: 20,978
Registered: ‎03-29-2007

Re: derivation-rules as alternative to blacklist

It definitely works, but adding, deleting and searching for mac addresses, or even remembering why they are there can become a problem at scale...



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II
Posts: 66
Registered: ‎01-25-2013

Re: derivation-rules as alternative to blacklist

It's only a short-time solution for a limited amount of devices (around 50).

Search Airheads
Showing results for 
Search instead for 
Did you mean: