PSK MAC Address based VLAN Steering
I have an Aruba 3600 and a mix of 110 AP-105s and AP-135s. I have some medical devices on my network that do not support 802.1x auth. We have connected them via PSK but they still need to be on their own VLAN. How do I go about creating a policy based on MAC address that places them in the correct VLAN when the controller authenticates them?
Here is what you need to do:
1. Create a role that for those medical devices that is configured for the VLAN you want them to be on
2. Find out what AAA profile is attached to your PSK network: (type "show user-table verbose" on the commandline. Under the "Profile" column is the AAA profile you need to focus on.
3. Write a user derivation rule that looks for devices that start with the mac address of those medical devices and places them in the role in step 1
4. Apply that user rule to the AAA profile so it will look for any device that begins with that mac address and put it into that role, effectively switching those devices into that VLAN, as well.
Here is how I just did it:
In the background, I created a user role called Medical-Devices that had vlan 1000 attached to it. I did not forget to add a firewall policy to that role to allow traffic for my medical devices. I also have a valid VLAN 1000 configured on the controller.
I typed show user-table verbose on the commandline to figure out what AAA profile is assigned to my devices for that WLAN. In the example below, it is CatchMe-aaa_prof:
I have a bunch of devices that begin with 84:3a:4b. To create a user rule to steer those devices to that role, on the controller GUI I went to Configuration> Security> Authentication>User Rules and Clicked on Add to create a new user derivation rule for my devices to be placed in the Medical-Devices role when they associate:
Last, but not least, I found my AAA profile above by going to Configuration> Security> Authentication> AAA profiles. I Edited My CatchMe-aaa_prof AAA profile and Applied the user rule to that:
Now when your devices associate to that SSID, if they begin with that mac address it will put it into that role.
Quite frankly, that is the BIG solution that allows places like hospitals to have a single utility SSID for PSK devices and put them all into different VLANs.