Wireless Access

Reply
Highlighted
MVP Expert

AOS 8.4: server-group default includes server-rules

Configuring mac auth with local-user dbase at the moment.

In the past you could use the server-group "internal" if you wanted to use the role from the local-userdb or if you wanted to use the role from the aaa profile you simply used the server-group default (since this did not include the server rules to apply the role).

 

Now in 8.4 both the default and the internal server-group include these server rules. The internal group isn't editable and the default group won't allow removal of the server rules either ("Rule not found!")

 

You can still create your own serveer-group referencing the internal dbase but meh, why not keep the old behaviour?

 

Any Aruba people have an idea as to why this was done?  Or if this is a minor bug? 


Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found a post helpful or important? Click the "Thumbs Up" icon to give kudos.
-- Problem Solved? Click "Accept as Solution" in a post.
Guru Elite

Re: AOS 8.4: server-group default includes server-rules

Default Server group  and its rules were historically designed to return the roles of devices that are in the internal database during authentication.  If you don't want that behavior, you should create your own server group from scratch and reference the internal database.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
MVP Expert

Re: AOS 8.4: server-group default includes server-rules

Hey Colin, Thanks for the response.

Creating my own group is what i did, but historically 'default' and 'internal' server-group have always differed in that one had those server-rules and the other didn't.

 

#show version 
ArubaOS (MODEL: Aruba3600), Version 6.4.4.16

#show aaa server-group default 

Fail Through:No
Load Balance:No

Auth Servers
------------
Name      Server-Type  trim-FQDN  Match-Type  Match-Op  Match-Str
----      -----------  ---------  ----------  --------  ---------
Internal  Internal     No                               

Role/VLAN derivation rules 
---------------------------
Priority  Attribute  Operation  Operand  Type  Action  Value  Validated
--------  ---------  ---------  -------  ----  ------  -----  ---------

#show aaa server-group internal

Fail Through:No
Load Balance:No

Auth Servers
------------
Name      Server-Type  trim-FQDN  Match-Type  Match-Op  Match-Str
----      -----------  ---------  ----------  --------  ---------
Internal  Internal     No                               

Role/VLAN derivation rules 
---------------------------
Priority  Attribute  Operation  Operand  Type    Action    Value  Validated
--------  ---------  ---------  -------  ----    ------    -----  ---------
1         Role       value-of            String  set role         No

This changed somewhere in 8.x.

 

What is even the use of having both default and internal groups if they are identical in every way.

That said, I won't lose any sleep over it so feel free to ignore this. 


Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found a post helpful or important? Click the "Thumbs Up" icon to give kudos.
-- Problem Solved? Click "Accept as Solution" in a post.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: