Wireless Access

last person joined: 5 hours ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

Default User Role is overriding desired role when using Machine Authentication

Jump to Best Answer
  • 1.  Default User Role is overriding desired role when using Machine Authentication

    Posted Jan 05, 2012 02:46 PM

    Hi All,

     

    I recently enabled machine authentication enforcement to keep guest users off of our corporate SSID. Machines get dropped into an appropriate role when they boot, and switch over to a user role when someone logs in... If users log in to a device that doesn't exist in AD they get dropped into a 3rd role.

     

    The problem I'm having is with devices logging in that don't exist in AD. These devices are getting placed into the role defined as the "Machine Authentication: Default User Role" even though I've defined conditions under the radius server group that should place them into a specific role.

     

    Here's part of the debug log

     

    Jan 5 11:17:26 authmgr MAC=00:12:f0:13:b8:e7 IP=0.0.0.0 Authentication result=Authentication Successful method=802.1x server=TestIAS
    Jan 5 11:17:26 authmgr MAC=00:12:f0:13:b8:e7 IP=0.0.0.0 Derived role 'COWS' from server rules: server-group=sg-auth-dot1x, authentication=8021x-User
    Jan 5 11:17:26 authmgr MAC=00:12:f0:13:b8:e7 def_vlan 1 derive vlan: 0 auth_type 11 auth_subtype 11
    Jan 5 11:17:26 authmgr MAC=00:12:f0:13:b8:e7 Station authenticated: method=8021x-User, role=BYOD, VLAN=1/1/0
    Jan 5 11:17:26 authmgr MAC=00:12:f0:13:b8:e7 def_vlan 1 derive vlan: 0 auth_type 11 auth_subtype 11
    Jan 5 11:17:26 authmgr MAC=00:12:f0:13:b8:e7 Station authenticated: method=8021x-User, role=BYOD, VLAN=1/1/0

     

    If I'm reading this right, the machine authenticates, gets the roll of COWS (which is what I want), then is switched into BYOD.

     

    What might be going on here?

     

    Thanks



  • 2.  RE: Default User Role is overriding desired role when using Machine Authentication
    Best Answer

    Posted Jan 05, 2012 02:49 PM

    Users that  have ONLY passed user authentication ONLY get the Enforce Machine Authentication: user role.  No further role derivation is performed.  Role derivation is ONLY performed for devices that passed both User and Machine Authentication.