We are vlan pooling about 10 subnets to a local controller and would like a couple specific mac addresses always be assigned to the same vlan. From the user guide the following syntax should assign mac address 11:22:33:44:55:66 to vlan 99? Also, since we have a master with multiple local controllers, does that command get entered on the local controller?
aaa derivation-rules user test-mac-vlan set vlan condition macaddr equals "11:22:33:44:55:66" set-value 99
Why do you need this?
if you are using user derived roles depending on which group of AD it is you can give them differente permitions no matter on what vlan or what ip address he gets
We have some Apple IPads that need to be on the same subnet, but with vlan pooling they are getting assigned to different subnets. If I created a user derived rule for each mac address, then I could get all the IPads on the same subnet. I realized that this isn't a scalable solution, but it might be a quick fix for the testing phrase of the IPads.
You could use DHCP Fingerprint
Or IF you are using EAP PEAP then it doesnt matter if it ipad or whatever.... if they put their user and password they will get the same permission no matter what device they use...
I dont know if you are looking for that. Or you just want to restrict the access to ipad no matter if its an internal user like if they are bringing ipads from home?
Can you please explian better your situation to see if i can find you a better solution?
Here is some info of DHCP Fingerprint
I do not want or need all IPads to be in the same vlan. I'm looking for a simple short term solution to get 10 IPads to be on the same vlan, and an user derived rule seem to be the easiest way to do that.
You cannot do that, because user derivation rules are overwritten by every other authentication method, unfortunately... Do these ipads need to be on the same VLAN for airplay or.....?
We do not have any other authentiction method, so that is why I thought it would work. Within our DHCP server we use a mac base authentication, but no authentication on the wireless controllers.
They didn't use the word Airplay, but said Bonjour and reflector, so the teacher could have a display on her IPad and the students could sync with that IPad. I think that is similar to Airplay. I was reading the Airgorup Aruba solution guide, but I didn't think any of that was supported in our current version, 184.108.40.206 Plus we do not have ClearPass deployed.
though other words were used, it certainly is Airplay. you don't need clearpass for it, just a ArubaOS tech release which supports it.
As far as I can tell our currenty release, 220.127.116.11, doesn't support Airplay and we will not be upgrsding code for a while. Do you know what ArubaOS releases support Airplay?
that would be 18.104.22.168-Airgroup, which will remain a separate release until Aruba adds the functionality it to the normal release, not sure if that is going to be 6.3, 6.4 or even later.
I have a similar need for this quick solution. The same circumstances are present. I want these mac address to be in a specifc vlan with vlan pooling, but unfortunately we do not have a thorough role management platform in place. That is, the role for all users is "authenticated". The purpose for putting these devices in a specific vlan is so they can have static address in a specific vlan. So I want to be able to check the MAC address of the device and assign it to a specific vlan in the vlan pool based off the mac address. How would I go about doing it if the derivation rules are overwritten by the authenticated role?
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2020 Hewlett Packard Enterprise Development LPAll Rights Reserved.