Wireless Access

We have a User Derivation Rule to assign a specific role to certain clients.  After we upgraded to 6.1.3.1 the Derivation Rule is not working.  The users are being placed in the initial role "logon" instead.  I have verified that the mac of the devices are present in the Derivation rule with the correct role.

On code 3.3.3.2 it was working properly.

Has anyone encountered this, is it a bug?

Turn on user debugging to see why that user ends up in that role.

I'll set up a test environment tomorrow.  

After many many tests, with the help of our Aruba onsite support, we were finally able to figure out the issue.  I had called TAC about this and they were not able to figure it out.

Turns out that on the new code, at least 6.1.3.1, they have set a limit of to how many lines a derivation rule can have.  Don't know if that's by design or a flaw since it's not mentioned in the Release Notes that I can see.

So, if you're having this issue, check to see how many lines your derivation rule/s have.  The max that you can have is 127.  

These symptoms are likely covered under issues filed against S3500 and ArubaOS Mobility controller products.

There are built-in limits to the total of derivation rules, so the number of rules that will work is dependent on the complete

controller configuration.

The issue was introduced in 6.1.3.0 software.

Currently, engineering are working on long term fixes for the issue.

In the meantime, there are  a number of possible "workarounds" which may in fact, be advantageous in larger networks.

1) MAC based authentication using full, or OUI prefix, which can be used to derive.

    -  scripts are available to assist transition from the UDR configuration to the internal authentication database authentication

2) Use MAC OUI prefix UDR, thereby reducing the number of UDR rules required.

3) External authentication, using server derivation rules

Aruba Networks Technical Support can provide further details regarding the issue, assisting in positively identifying if this is indeed the cause of symptoms observed,  or potential workarounds.

There was nothing in the release notes in regards the issue.  TAC didn't know what the issue was either.  By testing we ended up figuring what the issue was.  We resolved the issue by just using the first 6 characters of the MAC.

is this issue ever been resolved?

Which code we should go to get more entries than 127?

my controller is running on 6.1.3.4 and we are having same issue.

we are couldn't able to add more than 127 entries. which code we can upgrade to resolove this issue

Thanks in advance for any help on this matter.

best bet on an answer would be TAC, they can check the bug database and advise you.

Just An update...

Acoording to tac its limited to 127 entries and it will be increase to 256 entries with newer code.

Also keep in mind that UDRs were never designed to be a MAC-auth replacement. It was designed to override certain devices based on shared characteristics (MAC OUI, DHCP fingerprint, etc).