Wireless Access

I dont think you can currently do this, but I think it would be cool to have the ability to dynamically change the role for the connected device based on its fingerprint after authentication happens.  Think of this like chained firewall rules.

Roles would be chained like this:

[OS/Device fingerprint]

[Radius Role]

Or better yet, allow more information to be populated in the internal database during radius authentication so you can send say filterID and group...

then you could have 

[OS/Device fingerprint]

[Group Role]

[Radius Role]

They would all be chained together with a deny at a higher level taking precedence.  Similar to how firewall chains work in most firewalls...

Some of this is possible using User Derived Rules.   Please see the DHCP Tech Note on the details:   http://www.arubanetworks.com/wp-content/uploads/AOS-DHCP-FingerPrint-AppNote.pdf.

It is frustrating through as it does not appear you can chain them in any way.... Meaning I really cant give a power user on a mobile device anything different than the mobile device policy... As it says the dhcp fingerprint takes over any user derived roles...

Thanks for the information, I will play with this a bit as it looks quite interesting.

-Dan

That is correct.   With ClearPass there are some added abilities with device types and profiling; but with ArubaOS it is limited as you have discovered.

I think it would be a really cool feature to be able to combine roles :)  including the ability for user roles from radius to send multiple defined roles, so you can send multiple groups over to the controller for more dynamic control of users, 

I understand that some of this is built into clearpass, but with my tight budget I just dont think that is an option ;)