Wireless Access

last person joined: 41 minutes ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

User derived rule for specific vlan

  • 1.  User derived rule for specific vlan

    Posted Jan 23, 2013 04:02 PM

    We are vlan pooling about 10 subnets to a  local controller and would like a couple specific mac addresses always be assigned to the same vlan. From the user guide the following syntax should assign mac address 11:22:33:44:55:66 to vlan 99? Also, since we have a master with multiple local controllers, does that command get entered on the local controller?

     

    aaa derivation-rules user test-mac-vlan
      set vlan condition macaddr equals "11:22:33:44:55:66" set-value 99

     

    Bob



  • 2.  RE: User derived rule for specific vlan

    Posted Jan 23, 2013 07:13 PM

    Why do you need this?

    if you are using user derived roles depending on which group of AD it is you can give them differente permitions no matter on what vlan or what ip address he gets



  • 3.  RE: User derived rule for specific vlan

    Posted Jan 23, 2013 07:46 PM

    We have some Apple IPads that need to be on the same subnet, but with vlan pooling they are getting assigned to different subnets. If I created a user derived rule for each mac address, then I could get all the IPads on the same subnet. I realized that this isn't a scalable solution, but it might be a quick fix for the testing phrase of the IPads.

     

    Bob



  • 4.  RE: User derived rule for specific vlan

    Posted Jan 23, 2013 07:50 PM

    You could use DHCP Fingerprint

    Or IF you are using EAP PEAP then it doesnt matter if it ipad or whatever.... if they put their user and password they will get the same permission no matter what device they use...

    I dont know if you are looking for that.  Or you just want to restrict the access to ipad no matter if its an internal user like if they are bringing ipads from home?

     

    Can you please explian better your situation to see if i can find you a better solution?



  • 5.  RE: User derived rule for specific vlan

    Posted Jan 23, 2013 07:53 PM


  • 6.  RE: User derived rule for specific vlan

    Posted Jan 23, 2013 08:40 PM

    I do not want or need all IPads to be in the same vlan. I'm looking for a simple short term solution to get 10 IPads to be on the same vlan, and an user derived rule seem to be the easiest way to do that.

     

     

     



  • 7.  RE: User derived rule for specific vlan

    Posted Jan 23, 2013 09:42 PM

    You cannot do that, because user derivation rules are overwritten by every other authentication method, unfortunately...  Do these ipads need to be on the same VLAN for airplay or.....?



  • 8.  RE: User derived rule for specific vlan

    Posted Jan 24, 2013 09:52 AM

    We do not have any other authentiction method, so that is why I thought it would work. Within our DHCP server we use a mac base authentication, but no authentication on the wireless controllers. 

     

    They didn't use the word Airplay, but said Bonjour and reflector, so the teacher could have a display on her IPad and the students could sync with that IPad.  I think that is similar to Airplay. I was reading the Airgorup Aruba solution guide, but I didn't think any of that was supported in our current version, 6.1.3.2 Plus we do not have ClearPass deployed. 

     

    Bob 



  • 9.  RE: User derived rule for specific vlan

    Posted Jan 26, 2013 10:43 AM

    though other words were used, it certainly is Airplay. you don't need clearpass for it, just a ArubaOS tech release which supports it.



  • 10.  RE: User derived rule for specific vlan

    Posted Jan 28, 2013 09:12 AM

    As far as I can tell our currenty release, 6.1.3.2, doesn't support Airplay and we will not be upgrsding code for a while. Do you know what ArubaOS releases support Airplay? 

     

     



  • 11.  RE: User derived rule for specific vlan

    Posted Jan 28, 2013 02:02 PM

    that would be 6.1.3.4-Airgroup, which will remain a separate release until Aruba adds the functionality it to the normal release, not sure if that is going to be 6.3, 6.4 or even later.



  • 12.  RE: User derived rule for specific vlan

    Posted Apr 10, 2014 12:01 PM

    I have a similar need for this quick solution. The same circumstances are present. I want these mac address to be in a specifc vlan with vlan pooling, but unfortunately we do not have a thorough role management platform in place. That is, the role for all users is "authenticated". The purpose for putting these devices in a specific vlan is so they can have static address in a specific vlan. So I want to be able to check the MAC address of the device and assign it to a specific vlan in the vlan pool based off the mac address. How would I go about doing it if the derivation rules are overwritten by the authenticated role?