Controllerless Networks

Instant version 6.2.0.0-3.2.0.2_37229 on IAP105

When I set the access type on an SSID to role based it's not saved as role based. It save the access settings as network based using the rules assigned in the role I configured.

I'll explain in images.

Here I set the access as role based, and clicked finish.

The access type dioesn't update...

Checking the access type when editing the SSID shows it as network based using the setting I configured in the role CCP.

I've tried this on different SSIDs with different security types and I'm getting the same results. 

Anyone else getting this before I reset my instants and reconfigure?

Cheers

James

not 100% sure, but i think i encountered the same thinking back about it. is it an issue for you? in principe it doesn't matter much if you don't change rules via clearpass or such.

Yeah, it's a bit of a pain to be honest. 

I configured an SSID and assigned it to be role based access then attempted to edit the role from with the PEF menu. Obviously this didn't work as it was set to network based...

TAC suspect that it's a browser issue and that does make sense. I'll test it next week and report back.

James

i tried this to confirm and the same happens for me (6.2 / 3.2 _ 37229), but i can edit the role fine in PEF > Roles menu, it even udates the situation then in network-based access at the network. in principe it is the same if you don't use the extra features in the role-based menu.

That's interesting. What browser are you using? I only tested this on Chome Version 25.0.1364.152 m.

firefox, can't lookup the exact version right now, but probably one of the latest ones.

OK, apparently this is by design.

From TAC:

Role based with adding access list in role:

• When we configure a SSID with role based normally (i.e) with the acl “allow any to all destinations” then after saving the configuration it will change it to network based.
• This is because we are just adding the ACL in the role and this will get applied to all the users who are connecting to that SSID
• This is an expected behavior

--------------------------

This doesn't really make sense to me. If I assign an SSID to be role based I expect to be able to modify that role to change the access that users get when connected to that SSID.

I've put this forward as a "feature request".

Cheers

James

thanks for the update, good to know.

@jrwhitehead wrote:

If I assign an SSID to be role based I expect to be able to modify that role to change the access that users get when connected to that SSID.

---

i still don't fully get your remark here, you can change the role, well you can change the firewall rules and then those are applied on the network based settings.

Gotcha. So, it is doing what it's supposed to but just not setting it as role based.

i guess so and as long as you don't use a pre auth role or machine auth there is nothing wrong with that. the only thing i wonder is if you can send a role with the radius reponse now and if that gets picked up correctly.

There are Product Enhancements filed to change this confusing behavior.

I'd like to hear from the community  if our expectations are correct - once any "Role based" entry is created - any return to this screen should depict the previously configured "role based", and not revert to showing the "network based", without having to add extra configuration parameters.

Thoughts ?

i would go a step further, once i have selected the role-based settings with the slider, even without changing anything or creating any extra role i expect it to remain selected to role-based.