Wireless Access

New Contributor

Device not receiving proper role



We have some wireless printers that authenticate via MAC address but are not receiving the proper roles which I believe is causing them to constantly re-authenticate.  They have been added to the local-userdb and even if I attempt to manually add them with the proper role to the user-table, they still show as having a different role.


Here is an example: 00:02:78:21:ff:1b 00:02:78:21:FF:1B NASCA_Scanner 00:18:35 MAC US-MWN01-WAP007 Wireless gv-wlan-01/00:0b:86:0b:b0:a0/g gv-wlan-01-AAA 00:02:78:21:ff:11 00:02:78:21:FF:11 NASCA_Scanner 21:00:02 MAC US-MWN01-WAP018 Wireless gv-wlan-01/00:0b:86:0b:9d:60/g gv-wlan-01-AAA 00:1b:78:f7:2e:5a NASCA_Scanner_Logon 00:00:04 US-MWN01-WAP014 Wireless gv-wlan-01/00:0b:86:0b:a6:e0/g gv-wlan-01-AAA 00:1b:78:f7:2e:7f NASCA_Scanner_Logon 00:00:03 US-MWN01-WAP018 Wireless gv-wlan-01/00:0b:86:0b:9d:60/g gv-wlan-01-AAA


The first two devices have the proper role designation which is NASCA_Scanner.  The last two are not assigned the correct role which is the NASCA_Scanner_Logon.  Initially the devices land in the NASCA_Scanner_Logon role but should change to NASCA_Scanner after authentication.  All the other devices function correctly but there are about 5-6 that will not change the role association.  Nothing has changed from a configuration perspective aside from adding the devices to the local-userdb.


Here is the AAA profile designated:


aaa profile "gv-wlan-01-AAA"
initial-role "NASCA_Scanner_Logon"
authentication-mac "gv-wlan-01-MAC"
mac-default-role "NASCA_Scanner_Logon"
mac-server-group "internal"
authentication-dot1x "gv-wlan-01-PSK"


Here is the user-role for NASCA_Scanner_Logon:

user-role NASCA_Scanner_Logon
vlan 39
session-acl gv-dhcp-acl


Here is the user-role for NASCA_Scanner:


user-role NASCA_Scanner
vlan 39
session-acl gv-dhcp-acl
session-acl gv-dns-acl
session-acl icmp-acl
session-acl gv-citrix-NASCA-acl
session-acl gv-citrix-NASCA-Farm-acl
session-acl NASCA-Cirtix-Website
session-acl gv-NASCA-Printing
session-acl allowall


Thank you!



Guru Elite

Re: Device not receiving proper role

The local user database is sensitive to case and delimiters.  I would double-check those.


In addition, you need to disconnect a device in the client table in th GUI to get a fresh authentication if you make changes to the local user database.

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
New Contributor

Re: Device not receiving proper role

Thanks Colin!


It was an issue with the password being lower case it seems.  Everything is now functioning as it should.  The majority of the devices worked right after the change since they hadn't associated with the controller yet and tried to authenticate.   One device I did have to disconnect through the GUI and allow it to re-authenticate.



Search Airheads
Showing results for 
Search instead for 
Did you mean: