Q: Clients not getting role based on access rule if operand is MAC address or DHCP option ?
A: Below information is required for mac authentication.
While configuring attribute as mac address/dhcp-option for role based assignment , we might notice that client getting default role instead of the role mentioned.
Command: show derivation-rules
SSID:test
Role Derivation Rules
---------------------
Attribute Operation Operand Role Name Index Hits
--------- --------- ------- --------- ----- ----
mac-address contains f8:cf:c5:7c:9c:c5 mac-based 8 0
Jan 1 15:47:42 stm[2812]: is_ssid_authentication_mac_enabled: 10400: essid test mac authentication enable
Jan 1 15:47:42 stm[2812]: pap_authenticate: auth_type :2, username :f8:cf:c5:7c:9c:c5, essid test
Jan 1 15:47:42 stm[2812]: pap_authenticate after convert the username f8:cf:c5:7c:9c:c5 and password f8:cf:c5:7c:9c:c5
Jan 1 15:47:42 stm[2812]: __HIGHER_PRECEDENCE_COMPARE: 1076: matched_rule_index=67fff, sap_sta->acl_rule_index=0, precedence_result=1
Jan 1 15:47:42 cli[2788]: <541004> <WARN> |AP 04:bd:88:cd:5c:04@10.1.1.253 cli| recv_stm_sta_update: receive station msg, mac-f8:cf:c5:7c:9c:c5 bssid-04:bd:88:55:c0:41 essid-test.
Jan 1 15:47:42 stm[2812]: stm_send_sta_update: Sending sta update msg to CLI0, mac='f8:cf:c5:7c:9c:c5'
Jan 1 15:47:42 stm[2812]: user_auth_handler: 10929: Get session timeout '0', idle timeout '1000', username 'f8:cf:c5:7c:9c:c5'
Jan 1 15:47:42 cli[2788]: <541004> <WARN> |AP 04:bd:88:cd:5c:04@10.1.1.253 cli| recv_stm_sta_update: receive station msg, mac-f8:cf:c5:7c:9c:c5 bssid-04:bd:88:55:c0:41 essid-test.
Jan 1 15:47:42 stm[2812]: stm_send_sta_update: Sending sta update msg to CLI0, mac='f8:cf:c5:7c:9c:c5'
Jan 1 15:47:42 stm[2812]: stm_start_acct_for_post_1xauth_user: 17266: ip not ready for sta 'f8:cf:c5:7c:9c:c5'
Jan 1 15:47:42 stm[2812]: recv_radius_acct_multi_session_id: 17223: got mac='f8:cf:c5:7c:9c:c5', name='(null)', start_time='56862 (Thu Jan 1 15:47:42 1970 )'
Jan 1 15:47:42 stm[2812]: stm_start_acct_for_post_1xauth_user: 17266: ip not ready for sta 'f8:cf:c5:7c:9c:c5'
Jan 1 15:47:42 dnsmasq-dhcp[11284]: Vlan id: 3333
Jan 1 15:47:42 dnsmasq-dhcp[11284]: DHCPREQUEST(br0) 172.31.98.124 f8:cf:c5:7c:9c:c5
Jan 1 15:47:42 dnsmasq-dhcp[11284]: DHCPACK(br0) 172.31.98.124 f8:cf:c5:7c:9c:c5 android-a18a87cd64a46b1d
This issue could be noticed if the mac address mentioned in the String column has any delimiter.
By design we should not include any delimiter in operand for mac-address or dhcp-option based derivation.
To avoid this we should use the mac address in below format.
set-role mac-address contains f8cfc57c9cc5 mac-based