Can we assign specific VLAN to user's based on SSID, Location, Cleint MAC etc if user are authenticated by MAC based authentication or Captive Portal Authentication with internal server?
"Before client authentication, the VLAN can be derived from rules based on client attributes (SSID, BSSID, client MAC, location, and encryption type). A rule that derives a specific VLAN takes precedence over a rule that derives a user role that may have a VLAN configured for it"
What if we want to assign specific role to the user since user is authenticated based on MAC address or Captive Portal Internal Servers??
If you want to derive vlan or role before authentication, you use the User derivation rules. These rules can use the following for deriving vlan or role:
If you wish to derive with the authentication, you should use the server derivation rules.
There are a ton of conditions to test against, including MAC address or for example attributes returned a radius serverfrom during the authentication process.
(controller) (config) #aaa derivation-rules user test
(controller) (user-rule) #set ?
role The action of the rule is to set to role
vlan The action of the rule is to set to vlan
(controller) (user-rule) #set role ?
condition Condition that should be checked to derive role/VLAN
(controller) (user-rule) #set role condition ?
bssid BSSID of access point
dhcp-option Enable DHCP option processing
dhcp-option-77 Enable DHCP option 77 processing
encryption-type Encryption method used by station
essid ESSID of access point
location user location (ap name)
macaddr MAC address of user
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.