Controllerless Networks

I have created a Role based access rule on an Instant AP 105 that is to be applied to the client based on the ssid they connect to. However, the only access rule that is ever applied is from the default Role created when creating an ssid. Any idea why the Role based access rule never gets applied and the Role never changes?

Attribute = aruba-essid-name Operator = equals String = RED Role = IG

When clients connect to ssid RED they should get Role "IG", yes? But instead they only get the default Role. What am I missing?

Are you doing machine auth as well? could explain why the role is not getting applied as you need to auth both the device and the user for this to occur. What is your auth mechanism? internal to the IAP? Captive Portal? External Radius?

Can you post some of your config removing any client specifics? WLAN section as well as Auth and roles.

Adam

No machine auth. Just basic WPA-2 Personal. Here is the snippet of config I think would be setting the Role:

wlan ssid-profile RED
 index 0
 type employee
 essid RED
 wpa-passphrase d4f4ce460e56ce7adaa288a43e9c4ffac5d784fafda7720c
 opmode wpa2-psk-aes
 max-authentication-failures 0
 auth-server InternalServer
 set-role Aruba-Essid-Name equals RED IG
 rf-band all
 captive-portal disable

However, the only Role that gets applied is the default Role that gets created when the ssid is created.

Then the next question: Can you only apply one Role-based access rule set per IAP. I have a BLUE ssid created that has a default BLUE Role-based rule set. BUT, when I apply the BLUE Role-based rule set to the BLUE ssid it appears to save but when I go back in and look at the Access tab it has the Access set to Network-Based with the rules I created for the BLUE Role???

What code version are you running? I'm running 3.3.0.2 on a 2x IAP cluster I have up in my lab and I'm seeing the same issue. Confirm version and I will ping PLM internally. Note if this is/was a known issue, it may be patched in current code - but my IAP's are live on our cloud management platform and there is a slight lag b/w current GA code and supported code on Aruba Central.

Please confirm.

Adam

6.2.0.0-3.2.0.4_38110 and 6.2.1.0-3.4.0.3_40346

Seems to be happening on both.

Thanks, leave it with me for the moment...will reply back asap.

Adam

FYI - after opening a case with TAC I was told that Role-based access control only works when using an external auth server, RADIUS.

kconley, thanks for sharing your findings - could of sworn you could do this in a previous release - but trust those in TAC. Have a thread on this internally and if anything of interest comes up, will post back. Cheers and thanks!

Hi,

We do support role derivation without using an external RADIUS server, but we can only derive based on inherent attributes such mac address, and not RADIUS attributes such as Aruba-Essid-Name.

Also, could I ask why we are trying to derive based on Arub-Essid-Name?  Because it seems redudant as the default role is already per-SSID.  If the goal is to define a different access policy for each SSID, then just setting the policy in the default role (or just using network-based access control), should be enough.

Role derviation is geared toward giving different roles to different clients even if they are on the same SSID.

Thanks,

Yan

Role-based is how we were shown to do it in a sales pitch by an aruba "guru". Thought it even worked. I have it working through network-based and see no reason to do it any other way. Thanks!

---

@Yan Liu wrote:

Hi,

We do support role derivation without using an external RADIUS server, but we can only derive based on inherent attributes such mac address, and not RADIUS attributes such as Aruba-Essid-Name.

 

Also, could I ask why we are trying to derive based on Arub-Essid-Name?  Because it seems redudant as the default role is already per-SSID.  If the goal is to define a different access policy for each SSID, then just setting the policy in the default role (or just using network-based access control), should be enough.

 

Role derviation is geared toward giving different roles to different clients even if they are on the same SSID.

 

Thanks,

Yan

---

I tried that but it didn't worked, it placed the device on the default role too . I have the latest IAP OS installed

Hi Victor,

Do you mind pasting the output of running configuration from CLI or from UI's support window so we can see the full config?

Thanks,

Yan

Hi,

I change the role-based access rules and the external auth radius servers, but the client are connecting to the old role. We use external guest auth. 

how can I force the client to associate to the new role?

Thanks

Please open a new thread.  This post is from 4 years ago.