Role derivation based on MAC address for Open or PSK based SSID

By arunhasan1 posted Apr 09, 2015 07:17 AM


There are several ways to assign user-role for a user and this article describes about how user-role could be assigned using role derivation based on MAC address for a Open or PSK based SSID.


Administrators can now differentiate roles for users connecting in Open or PSK based SSID based on MAC address.


Environment : This article applies to all Instant Access Points running 4.1 and later.


rtaImage (2).png


Create a new SSID as shown below


rtaImage (3).png


Choose VLAN assignment as needed

rtaImage (4).png


Security could be Open or PSK based.


rtaImage (5).png


Choose Role based under access rule and under Role assignment rules choose parameters as shown below and click finish.

In the below screenshot, a role derivation is created to assign clients in allow all role when their MAC address starts with 0061.


rtaImage (6).png


With the above configuration part is done.


From "show running-config" we could validate if role derivation based on MAC address has been applied to the created SSID.


rtaImage (7).png


The user who's mac address starts with 0061 got assigned in Allowall role where as other/rest of the user got assigned in "Guest" role in which we have restriction. Same can be seen from Web UI when clicked on client banner.


rtaImage (8).png


rtaImage (9).png


  1. Make sure the role derivation is properly configured in SSID profile(from CLI/WebUI) and also it contains MAC addresses for which ever user needs to be in Allowall role.
  • From WebUI:

rtaImage (10).png

  • From CLI:

rtaImage (11).png