Wireless Water Cooler

Trying to automate putting a rogue device in the deny all role.

Have an android phone connecting to a PSK networks  while advertising a wireless hot spot.

Can manually put the device into the deny all role on the controller.  Once the inactivity timer value is reached, the device is removed from the database (deny all role) and can connect again.

I created a derivation role for the devices MAC address and applied it to a AAA profile trying to force the device into the deny all role.

set role condition macaddr equals ##:##:## set-value Deny_all description "rogue_test"

aaa profile Deny_all

    Initial-role Deny_all

    user-derivation-rules "Rogue"

!

The device goes into the initial role for the PSK network instead of the deny all role.

Have you tried blacklisting?  http://community.arubanetworks.com/t5/Controller-Based-WLANs/How-to-blacklist-users-permanently/ta-p/175712

The black list timer set to zero will work, but it does not write from the master to the locals.

Thank you

You can take the chance that the device will only show up in a single location and just issue the blacklist on that controller.  You can also employ an external policy engine to do mac authentication of PSK devices to protect enterprise wide from specific devices.  

It is difficult to maintain a blacklist on controllers using either a user derivation rule or simple blacklisting, because the interface is not designed to add/remove and change dozens of mac addresses.  An external policy engine like ClearPass would be the place to actually do this..