How do I map Active Directory to the Cisco ACS using a filter-id?

Aruba Employee
Aruba Employee

Product and Software: This article applies to all Aruba controllers and ArubaOS versions.


Using Authentication Server derivation rules allows attributes to be passed from the RADIUS server to the Aruba controller. The attributes can then be used to control access rights for a specific user or group of users.


The example screen below from the Aruba configuration GUI shows a Server rule, which is also known as a "server derivation rule". The attribute selected for this specific rule was the "filter-id". This rule maps the user into the Aruba role "vulcan1-authenticated" when the value of the filter-id is equal to "allowaccess".


The value "allowaccess" is passed from the Cisco ACS to the Aruba controller in the Radius Accept message. In the example, a user called "rzava" was a member of the AD Group "WirelessAccess", which was mapped to the Cisco ACS through the "External User Database Group Mappings". In this ACS Group mapping, the selection was made to return the filter-id value = "allowaccess". If the user does not belong to the AD Group "WirelessAccess", the user is mapped to the "default" Cisco ACS group. The default group is configured to not return a value to the Aruba controller. Since the Server rules are processed Iine order, the next rule is processed that is based on "essid" value match of "Vulcan1" that the user associated/authenticated to. The user is mapped into a user role "guest-login".


The Aruba GUI depicts an Authentication Server Group configured to use a derivation rule that places the user in a specific "role" based on matching the contents of the "Filter-Id".The Filter-Id contents are passed from the ACS only when a user is in the Active Directory Group "WirelessAccess".



 Example User "rzava" and the Active Directory Group Mapping/Membership

Note: The user is a member of the "WirelessAccess" group.




External User Database Group "WirelessAccess"




 Filter-ID configuration for ACS "WirelessAccess" Group. The value that contained "allowaccess" is passed back to the Aruba controller. This value matches the derivation rule configured in the Aruba Server Group, and the user is placed into a specific role.





 Dynamic User Mapping into the "WirelessGroup" based on membership of User in Active Directory and the Mapping of the External User Database Groups to Active Directory. This mapping triggers the return value of "allowaccess" in the filter-id of the radius accept.





 The Wireshark Radius Access Accept Message contains the "Filter-ID" value "allowaccess" because the user was an AD Group member of "WirelessAccess".


 Aruba Security Log Outputcan record the entire authentication process for review:

Jul 13 13:16:59 :124004: <DBUG> |authmgr| Auth server 'uofc-acswlan1' response=0

Jul 13 13:16:59 :124004: <DBUG> |authmgr| {L2} Authenticating Server is uofc-acswlan1

Jul 13 13:16:59 :124004: <DBUG> |authmgr| Matching `Vulcan1-server-group' rules to derive role ...

Jul 13 13:16:59 :124004: <DBUG> |authmgr| rule: set role condition Filter-Id equals "allowaccess" set-value vulcan1-authenticated

Jul 13 13:16:59 :124004: <DBUG> |authmgr| Value Pair to match Filter-Id : allowaccess

Jul 13 13:16:59 :124004: <DBUG> |authmgr| Rule matched! Result string is 'vulcan1-authenticated'

Jul 13 13:16:59 :124004: <DBUG> |authmgr| Tx message to Sibyte. Opcode = 17, msglen = 132

Jul 13 13:17:00 :124004: <DBUG> |authmgr| Matching `Vulcan1-server-group' rules to derive vlan ...

Jul 13 13:17:00 :124004: <DBUG> |authmgr| Tx message to Sibyte. Opcode = 17, msglen = 132

Jul 13 13:17:00 :124004: <DBUG> |authmgr| Rx message 14001/5221, length 138 from


References/resources: Cisco ACS configuration guide, Aruba configuration guide.

Version history
Revision #:
1 of 1
Last update:
‎06-30-2014 05:15 PM
Updated by:
Labels (1)
Search Airheads
Showing results for 
Search instead for 
Did you mean: