Hi
trying to solve some little challenge and hopefully thought that User-rules would/could help here, im using one SSID for corporate access and everyone's getting "authenticated" role.
so far so good, worked for years fine. now i want to separate few clients on this VAP to be in another VLAN where another subnet is used so i can proper separate on the gateway firewall regarding policies/rules etc. i have PEFNG but im not using the firewall stuff on the Controller , we handle this on a central firewall before it hits the internet.
while DHCP reservation is not possible on controller i had the idea to use the "user rules" tab in the authentication area to just have approx 15clients be put into another separate VLAN where controller does DHCP for a subnet .
i wonder why the priority list of the user rules only accepts 11 entries on the webui ,. when trying to add a 12th entry it overwrittes the 11th entry ?
why is there a limit of 11 , doesnt make sense. perhaps this shouldnt be mis-used for my challenge? after reading userguide ArubaOS 6.3 (currently run 6.3.1.14 on that MC3200 cause we have lots of old AP's not supported in AOS 6.4) the guide says :
Working with User-Derived VLANs
Attributes derived from the client’s association with an AP can be used to assign the client to a specific role or
VLAN, as user-derivation rules are executed before the client is authenticated.
You configure the user role or VLAN to be assigned to the client by specifying condition rules; when a condition is
met, the specified user role or VLAN is assigned to the client. You can specify more than one condition rule; the order
of rules is important as the first matching condition is applied. You can optionally add a description of the user rule.
so my CLI config is like this , not sure if it's a mis-usage what im trying to solve, perhaps it would make more sense to try it with a MAC_authentication role. but i would like to set a vlan based on the mac-adress thats why i tried with user-rules .
(Aruba3400) #show aaa derivation-rules user Auth-MAC-VLAN
User Rule Table
---------------
Priority Attribute Operation Operand/Group Action Value Total Hits New Hits Description
-------- --------- --------- ------------- ------ ----- ---------- -------- -----------
1 macaddr equals 00:21:6a:xx:xx:xx set vlan 2103 0 0
2 macaddr equals 28:B2:BD:xx:xx:xx set vlan 2103 0 0
3 macaddr equals 00:19:D2:xx:xx:xx set vlan 2103 0 0
4 macaddr equals 00:21:6a:xx:xx:xx set vlan 2103 0 0
5 macaddr equals A4:4E:31:xx:xx:xx set vlan 2103 0 0
6 macaddr equals 5C:C5:D4:xx:xx:xx set vlan 2103 0 0
7 macaddr equals A4:4E:31:xx:xx:xx set vlan 2103 0 0
8 macaddr equals 6C:88:14:xx:xx:xx set vlan 2103 0 0
9 macaddr equals A4:4E:31:xx:xx:xx set vlan 2103 0 0
10 macaddr equals 50:1A:C5:xx:xx:xx set vlan 2103 0 0
11 macaddr equals 00:19:D2:xx:xx:xx set vlan 2103 0 0
as told before, when trying to add a 12th entry, entry 11 is overwritten,
any ideas ?
btw. before you ask yourself "why does he do this" -> all clients use the same SSID , if a mac-adress is not listed in the user-rules list and connects to the SSID it gets an IP-adress of the default VLAN assigned to the VAP , only when having specific mac-adress the client is put into this 2nd vlan .
perhaps i have to solve it another way or ?
thanks
ben