Wireless Access

last person joined: 8 hours ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

AOS 8.4: server-group default includes server-rules

  • 1.  AOS 8.4: server-group default includes server-rules

    Posted Apr 03, 2019 11:41 AM

    Configuring mac auth with local-user dbase at the moment.

    In the past you could use the server-group "internal" if you wanted to use the role from the local-userdb or if you wanted to use the role from the aaa profile you simply used the server-group default (since this did not include the server rules to apply the role).

     

    Now in 8.4 both the default and the internal server-group include these server rules. The internal group isn't editable and the default group won't allow removal of the server rules either ("Rule not found!")

     

    You can still create your own serveer-group referencing the internal dbase but meh, why not keep the old behaviour?

     

    Any Aruba people have an idea as to why this was done?  Or if this is a minor bug? 



  • 2.  RE: AOS 8.4: server-group default includes server-rules

    Posted Apr 03, 2019 11:56 AM

    Default Server group  and its rules were historically designed to return the roles of devices that are in the internal database during authentication.  If you don't want that behavior, you should create your own server group from scratch and reference the internal database.



  • 3.  RE: AOS 8.4: server-group default includes server-rules

    Posted Apr 04, 2019 04:16 AM

    Hey Colin, Thanks for the response.

    Creating my own group is what i did, but historically 'default' and 'internal' server-group have always differed in that one had those server-rules and the other didn't.

     

    #show version 
    ArubaOS (MODEL: Aruba3600), Version 6.4.4.16
    
    #show aaa server-group default 
    
    Fail Through:No
    Load Balance:No
    
    Auth Servers
    ------------
    Name      Server-Type  trim-FQDN  Match-Type  Match-Op  Match-Str
    ----      -----------  ---------  ----------  --------  ---------
    Internal  Internal     No                               
    
    Role/VLAN derivation rules 
    ---------------------------
    Priority  Attribute  Operation  Operand  Type  Action  Value  Validated
    --------  ---------  ---------  -------  ----  ------  -----  ---------
    
    #show aaa server-group internal
    
    Fail Through:No
    Load Balance:No
    
    Auth Servers
    ------------
    Name      Server-Type  trim-FQDN  Match-Type  Match-Op  Match-Str
    ----      -----------  ---------  ----------  --------  ---------
    Internal  Internal     No                               
    
    Role/VLAN derivation rules 
    ---------------------------
    Priority  Attribute  Operation  Operand  Type    Action    Value  Validated
    --------  ---------  ---------  -------  ----    ------    -----  ---------
    1         Role       value-of            String  set role         No

    This changed somewhere in 8.x.

     

    What is even the use of having both default and internal groups if they are identical in every way.

    That said, I won't lose any sleep over it so feel free to ignore this.