Wireless Access

We give front desk users guest provisioning access which puts users into the default "guest" role, is there a way to default what role they go into? We are trying to steer guest accounts into a role that is different then the default (i.e. SSIDName-Role vs guest)

I know this is possible from within the controller guest provisioning but we don't want to give users that much access.

Edited to reflect post-auth role instead of initial role in #2

The role assignment for guests within the controller can be done in a couple different ways:

1) Create a guest account and assign a role.   By default the captive portal profiles use "default" server group for authentication.  This server group has a server derived rule that assigns the user-role to be the value or role within the internal DB.

2) Set a default guest role for the captive portal profile for your guests (SSIDName-Role in your case).   Make a new server group (copy of default), but remove this server derived rule.  Assign this server group to the Captive Portal profile.

• In option 1, the server derived rule will override the initial role for the AAA profile, thus they are assigned "guest".
• In option 2, there is no server derived rule, so the default role of the Captive Portal profile is assigned, thus they are assigned "SSIDName-Role"

Option 1 is already doable 

Option 2 is I guess what we are trying to do but already have an initial role on the AAA profile set. Not sure about the server derived rule since the default doesnt have any set from what I can tell.

This is basically our config with names changed up a bit but basically we want initial role "SSID-Guest-Logon-Role" and authenticated role "SSID-Guest-Role". Anything the guest-manager puts in they are currently being put int to "guest" role by default.

wlan virtual-ap "VAP-SSID-Guest"
aaa-profile "AAA-SSID-Guest"
ssid-profile "SSID-Guest"
vlan xxx
band-steering
broadcast-filter all

!

aaa profile "AAA-SSID-Guest"
initial-role “SSID-Guest-Logon-Role"

!
aaa authentication captive-portal "CP-SSID-Guest"
default-role “SSID-Guest-Role"
server-group "internal"
redirect-pause 2
protocol-http
welcome-page "http://www.pickles.com"
apple-cna-bypass

!

aaa server-group "default"
auth-server Internal

---

@flava wrote:

aaa server-group "default"
auth-server Internal

---

Your config looks good so long as the CP-SSID-Guest captive portal profile is assigned to the SSID-Guest-Logon-Role role.  However, the above output shows that the default server group does indeed have the server rule set.  It is a default setting, so it does not show up in the CLI.  If you had removed it, you'd see:

no set role condition role value-of

To confirm this, run one of the following commands.

When the user is logged in:

• show user ip <ip-of-user>
• Looks for the User Role deriviation field to confirm how the user was assigned the role

show aaa server-group default

• Verify Role/VLAN deriviation rule is set.

(aruba-7010) #show aaa server-group default

Fail Through:No
Load Balance:No

Auth Servers
------------
Name      Server-Type  trim-FQDN  Match-Type  Match-Op  Match-Str
----      -----------  ---------  ----------  --------  ---------
Internal  Internal     No                              

Role/VLAN derivation rules
---------------------------
Priority  Attribute  Operation  Operand  Type    Action    Value  Validated
--------  ---------  ---------  -------  ----    ------    -----  ---------
1         role       value-of            String  set role         No

Hi @clembo

I've encountered the very same problem @flava described.

I've tried to apply your recommendations but it's not working for me, not sure if I'm missing something or it's indeed not possible to change the role. My goal is to assign guest clients role auth-guest.

My setup is basically identical: 

!
wlan virtual-ap "JMHotspot"
aaa-profile "JMHotspot"
vlan 35
ssid-profile "JMHotspot_ssid_prof"
blacklist-time 28800
!
aaa profile "JMHotspot"
initial-role "guest-logon"
!
user-role guest-logon
captive-portal "JMHotspot"
access-list session ra-guard
access-list session captiveportal
access-list session guest-logon-access
access-list session v6-logon-control
access-list session captiveportal6
access-list session block-internal-access
!
aaa authentication captive-portal "JMHotspot"
default-role "auth-guest"
server-group "WLC_internal"
redirect-pause 3
single-session
!
aaa server-group "WLC_internal"
auth-server Internal position 1
!
! in default server group I removed "set role condition Role value-of"
!
aaa server-group "default"
auth-server Internal position 1
!

However, guest clients created by Guest Provisioning Portal never get role auth-guest, instead they always end up with default guest role.

(WLC-JMS-PRI) [mm] #show local-userdb


User Summary
------------
Name Password Role E-Mail Enabled Expiry Status Sponsor-Name Remote-IP Grantor-Name
---- -------- ---- ------ ------- ------ ------ ------------ --------- ------------
guest-6218037 ******** guest Yes 12/15/2022 18:11 Active 0.0.0.0 admin
guest-9797812 ******** guest Yes 12/15/2022 18:32 Active 0.0.0.0 admin

(WLC-JMS-PRI) [mm] #show aaa authentication captive-portal JMHotspot

Captive Portal Authentication Profile "JMHotspot"
-------------------------------------------------
Parameter Value
--------- -----
Default Role auth-guest
Default Guest Role guest
Server Group WLC_internal
Redirect Pause 3 sec
User Login Enabled
Guest Login Disabled
Logout popup window Enabled
Use HTTP for authentication Disabled
Logon wait minimum wait 5 sec
Logon wait maximum wait 10 sec
logon wait CPU utilization threshold 60 %
Max Authentication failures 0
Show FQDN Disabled
Authentication Protocol PAP
Login page /auth/index.html
Welcome page /auth/welcome.html
Show Welcome Page Yes
Add switch IP address in the redirection URL Disabled

Please do you have any idea what to change so that guest users get configure role?

Thank you!