Hi @clembo
I've encountered the very same problem @flava described.
I've tried to apply your recommendations but it's not working for me, not sure if I'm missing something or it's indeed not possible to change the role. My goal is to assign guest clients role auth-guest.
My setup is basically identical:
!
wlan virtual-ap "JMHotspot"
aaa-profile "JMHotspot"
vlan 35
ssid-profile "JMHotspot_ssid_prof"
blacklist-time 28800
!
aaa profile "JMHotspot"
initial-role "guest-logon"
!
user-role guest-logon
captive-portal "JMHotspot"
access-list session ra-guard
access-list session captiveportal
access-list session guest-logon-access
access-list session v6-logon-control
access-list session captiveportal6
access-list session block-internal-access
!
aaa authentication captive-portal "JMHotspot"
default-role "auth-guest"
server-group "WLC_internal"
redirect-pause 3
single-session
!
aaa server-group "WLC_internal"
auth-server Internal position 1
!
! in default server group I removed "set role condition Role value-of"
!
aaa server-group "default"
auth-server Internal position 1
!
However, guest clients created by Guest Provisioning Portal never get role auth-guest, instead they always end up with default guest role.
(WLC-JMS-PRI) [mm] #show local-userdb
User Summary
------------
Name Password Role E-Mail Enabled Expiry Status Sponsor-Name Remote-IP Grantor-Name
---- -------- ---- ------ ------- ------ ------ ------------ --------- ------------
guest-6218037 ******** guest Yes 12/15/2022 18:11 Active 0.0.0.0 admin
guest-9797812 ******** guest Yes 12/15/2022 18:32 Active 0.0.0.0 admin
(WLC-JMS-PRI) [mm] #show aaa authentication captive-portal JMHotspot
Captive Portal Authentication Profile "JMHotspot"
-------------------------------------------------
Parameter Value
--------- -----
Default Role auth-guest
Default Guest Role guest
Server Group WLC_internal
Redirect Pause 3 sec
User Login Enabled
Guest Login Disabled
Logout popup window Enabled
Use HTTP for authentication Disabled
Logon wait minimum wait 5 sec
Logon wait maximum wait 10 sec
logon wait CPU utilization threshold 60 %
Max Authentication failures 0
Show FQDN Disabled
Authentication Protocol PAP
Login page /auth/index.html
Welcome page /auth/welcome.html
Show Welcome Page Yes
Add switch IP address in the redirection URL Disabled
Please do you have any idea what to change so that guest users get configure role?
Thank you!
Original Message:
Sent: Feb 14, 2015 08:39 AM
From: Chris Lembo
Subject: Guest Provisioning Default Role
@flava wrote:
aaa server-group "default"
auth-server Internal
Your config looks good so long as the CP-SSID-Guest captive portal profile is assigned to the SSID-Guest-Logon-Role role. However, the above output shows that the default server group does indeed have the server rule set. It is a default setting, so it does not show up in the CLI. If you had removed it, you'd see:
no set role condition role value-of
To confirm this, run one of the following commands.
When the user is logged in:
- show user ip <ip-of-user>
- Looks for the User Role deriviation field to confirm how the user was assigned the role
show aaa server-group default
- Verify Role/VLAN deriviation rule is set.
(aruba-7010) #show aaa server-group default
Fail Through:No
Load Balance:No
Auth Servers
------------
Name Server-Type trim-FQDN Match-Type Match-Op Match-Str
---- ----------- --------- ---------- -------- ---------
Internal Internal No
Role/VLAN derivation rules
---------------------------
Priority Attribute Operation Operand Type Action Value Validated
-------- --------- --------- ------- ---- ------ ----- ---------
1 role value-of String set role No