I am working on denying access to our "registered" users to our guest portal.
Our mac authentication system returns aruba specific attributes (VSA's) specifically the Aruba-User-Role attribute.
What I want to do is to transform those values in a server group profile
aaa server-group "GUEST-PORTAL-RESTRICT-ACCESS-SG-B"
auth-server NETREG-RADIUS-TEST-B
set role condition Aruba-User-Role equals "UNREGISTERED-ROLE-B" set-value amigopod-guest-role
set role condition Aruba-User-Role not-equals "UNREGISTERED-ROLE-B" set-value guest_reguser_deny_redirect
!
Basically this says if you are "unregistered" then set you to the amigopod guest role. If you are anything else, deny access.
However from the logs it looks like Aruba VSA's trump server derivation rules:
Jul 24 08:48:13 :121031: <DBUG> |authmgr| |aaa| [rc_server.c:860] Sending radius request to NETREG-RADIUS-TEST-B:129.64.102.17:1812 id:9,len:204
Jul 24 08:48:13 :121031: <DBUG> |authmgr| |aaa| [rc_server.c:869] NAS-IP-Address: 129.64.27.175
Jul 24 08:48:13 :121031: <DBUG> |authmgr| |aaa| [rc_server.c:869] NAS-Port-Id: 0
Jul 24 08:48:13 :121031: <DBUG> |authmgr| |aaa| [rc_server.c:869] NAS-Port-Type: 19
Jul 24 08:48:13 :121031: <DBUG> |authmgr| |aaa| [rc_server.c:869] User-Name: 70:56:81:bc:ba:d1
Jul 24 08:48:13 :121031: <DBUG> |authmgr| |aaa| [rc_server.c:873] Password: *****
Jul 24 08:48:13 :121031: <DBUG> |authmgr| |aaa| [rc_server.c:869] Calling-Station-Id: 705681BCBAD1
Jul 24 08:48:13 :121031: <DBUG> |authmgr| |aaa| [rc_server.c:869] Called-Station-Id: 000B8611BA00
Jul 24 08:48:13 :121031: <DBUG> |authmgr| |aaa| [rc_server.c:869] Service-Type: Login-User
Jul 24 08:48:13 :121031: <DBUG> |authmgr| |aaa| [rc_server.c:869] Aruba-Essid-Name: brandeis_guest01
Jul 24 08:48:13 :121031: <DBUG> |authmgr| |aaa| [rc_server.c:869] Aruba-Location-Id: JT_TestAP
Jul 24 08:48:13 :121031: <DBUG> |authmgr| |aaa| [rc_server.c:869] Aruba-AP-Group: Test_APGroup
Jul 24 08:48:13 :121031: <DBUG> |authmgr| |aaa| [rc_server.c:869] Message-Auth: \272\254\347"\224\214\231p\001\222\315DF\2520\222
Jul 24 08:48:13 :121031: <DBUG> |authmgr| |aaa| [rc_request.c:76] Find Request: id=9, srv=129.64.102.17, fd=74
Jul 24 08:48:13 :121031: <DBUG> |authmgr| |aaa| [rc_request.c:82] Current entry: srv=129.64.102.17, fd=74
Jul 24 08:48:13 :121031: <DBUG> |authmgr| |aaa| [rc_request.c:38] Del Request: id=9, srv=129.64.102.17, fd=74
Jul 24 08:48:13 :121031: <DBUG> |authmgr| |aaa| [rc_api.c:972] Authentication Successful
Jul 24 08:48:13 :121031: <DBUG> |authmgr| |aaa| [rc_api.c:974] RADIUS RESPONSE ATTRIBUTES:
Jul 24 08:48:13 :121031: <DBUG> |authmgr| |aaa| [rc_api.c:989] User-Name: turner
Jul 24 08:48:13 :121031: <DBUG> |authmgr| |aaa| [rc_api.c:989] {Aruba} Aruba-User-Role: ACCESS-ROLE-B
Jul 24 08:48:13 :121031: <DBUG> |authmgr| |aaa| [rc_api.c:989] PW_RADIUS_ID: \011
Jul 24 08:48:13 :121031: <DBUG> |authmgr| |aaa| [rc_api.c:989] Rad-Length: 49
Jul 24 08:48:13 :121031: <DBUG> |authmgr| |aaa| [rc_api.c:989] PW_RADIUS_CODE: \002
Jul 24 08:48:13 :121031: <DBUG> |authmgr| |aaa| [rc_api.c:989] PW_RAD_AUTHENTICATOR: \020\361\272\0\217e\356\022
Jul 24 08:48:14 :121031: <DBUG> |authmgr| |aaa| [rc_acct.c:561] Radius Accounting Start: user 70:56:81:bc:ba:d1
Jul 24 08:48:14 :121031: <DBUG> |authmgr| |aaa| [rc_api.c:1064] Default : setting nas_port_type to wireless
Jul 24 08:48:14 :121031: <DBUG> |authmgr| |aaa| [rc_acct.c:294] create_common_acct: Added VSA Aruba-User-Vlan 700
Users
-----
IP MAC Name Role Age(d:h:m) Auth VPN link AP name Roaming Essid/Bssid/Phy Profile Forward mode Type
---------- ------------ ------ ---- ---------- ---- -------- ------- ------- --------------- ------- ------------ ----
10.202.27.254 70:56:81:bc:ba:d1 70:56:81:bc:ba:d1 ACCESS-ROLE-B 00:00:11 MAC JT_TestAP Wireless brandeis_guest01/d8:c7:c8:32:a7:b2/a-HT brandeis-amigopod-aaa tunnel OS X
User Entries: 1/1
Is this expected? I know it's unusuall to transform a VSA but hey It doesn't say you can't!