Wireless Access

Reply
Occasional Contributor II
Posts: 57
Registered: ‎04-01-2010

user derivation rules

I'm trying to differentiate MacBooks with user certificates vs. MacBooks with machine based certificates.  We would like the MacBooks with user certificates to be on a 'Enterprise Lite' role. and want MacBooks with machine based certificates to have full authenticated role.  We would like use MAC addresses of the MacBooks with machine based certificates to put them in the authenticated role.  I'm open to other suggestions to achieve this.

 

I tried to use user derivation rules to achieve this.  See below.

 

!
aaa server-group "Mac_Test-svrgrp"
auth-server NPS Server
!

 

!
aaa profile "Mac_Test-aaa_prof"
authentication-dot1x "Mac_Test-dot1x_prof"
dot1x-default-role "authenticated"
dot1x-server-group "Mac_Test-svrgrp"
user-derivation-rules "Guesterprise"
!

 

!
aaa derivation-rules user Guesterprise
set role condition dhcp-option equals "370103060F77FC" set-value Enterprise Lite description "Ipad-DHCP"

set role condition dhcp-option equals "370103060f775ffc2c2e" set-value Enterprise Lite description "MacBook-DHCP"

set role condition macaddr equals "20:20:20:20:20:20" set-value authenticated
!

 

The dhcp-option equals "370103060f775ffc2c2e" seems to supercede the macaddr equals "20:20:20:20:20:20" role condition.  I have even moved macaddr equals "20:20:20:20:20:20" to the top and it made no difference.

 

Any ideas or suggestions to remedy this?

 

Thanks,

 

Bill

Aruba
Posts: 1,644
Registered: ‎04-13-2009

Re: user derivation rules

[ Edited ]
dhcp user derivation rules take place last....even after authentication. Reason being a dot1x client does not request an IP until it is authenticated, thus the dhcp rule has to be processed last. What Radius solution are you using? Also where are the certificates issued from?
------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Guru Elite
Posts: 21,023
Registered: ‎03-29-2007

Re: user derivation rules

Do the usernames on machine certificates differ from usernames on user certificates?  For example, if the username on a machine certificate is host/<domain>, you can use that in a server derivation rule to change the role:

 

aaa server-group "Mac_Test-svrgrp"
auth-server NPS Server
set role condition username contains host/domain set-value authenticated

 

If you make the default 802.1x role in the AAA profile Enterprise-lite so that users who have any other type of username end up in the Enterprise lite role.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 57
Registered: ‎04-01-2010

Re: user derivation rules

Thanks for the reply cjoseph.

 

The machines with the user certs total in number to about 10-15 users.  Going forward we will be using machine certs on the devices.  I was thinking I could keep the default 802.1x role in the AAA profile to authenticated and I could just create 10-15 server rules to force the user certs to Enterprise lite role.  Will there be an impact if I create that many server rules?

 

Bill

Guru Elite
Posts: 21,023
Registered: ‎03-29-2007

Re: user derivation rules

You can certainly do it that way, yes.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 57
Registered: ‎04-01-2010

Re: user derivation rules

Is there a way to view the parameters of the 802.1x authentication or authentication in general that is being sent to the NPS.  I noticed that there are a log of conditions we can choose from.  I would like to see what conditions are being used during our authentication.

 

Thanks,

 

Bill

Guru Elite
Posts: 21,023
Registered: ‎03-29-2007

Re: user derivation rules


bingdude wrote:

Is there a way to view the parameters of the 802.1x authentication or authentication in general that is being sent to the NPS.  I noticed that there are a log of conditions we can choose from.  I would like to see what conditions are being used during our authentication.

 

Thanks,

 

Bill


Those parameters are fairly standard, and the best place to view them are in the NPS Event Viewer

 

Too see what parameters are sent FROM NPS, you would do this:

 

config t
logging level debugging security process authmgr

logging level debugging security subcat aaa


show log security 50

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: