Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Question about role assignment for radius authenticated users.

This thread has been viewed 2 times

  • 1.  Question about role assignment for radius authenticated users.

    Posted Apr 21, 2014 12:50 PM

    I have successfully setup radius authentication for my AD users. However, users are being assigned a guest role instead of the logon role that is set in the AAA profile for the radius authentication. I cannot determine what is superseding the role.



  • 2.  RE: Question about role assignment for radius authenticated users.

    EMPLOYEE
    Posted Apr 21, 2014 12:56 PM

    User "show user-table ip <ip address of user>" to see how the user got that role.  In your AAA profile, the default 802.1x role should determine your user's role.

     



  • 3.  RE: Question about role assignment for radius authenticated users.

    Posted Apr 21, 2014 01:10 PM

    Ok i see the following in the reply

     

    Role Derivation: default for authentication type 802.1x

     

    then 

     

    Role assigment - L3 assigned role: n/a, VPN role: n/a, Dot1x cached role: n/a
    Current Role name: guest, role-how: 1, L2-role: guest, L3-role: guest

     

    My AAA profile is set for Logon. I have looked at the 802.1x seetings but do not see where to assign the role. I am using mschap for 802.1x.

     

     



  • 4.  RE: Question about role assignment for radius authenticated users.

    EMPLOYEE
    Posted Apr 21, 2014 01:12 PM
    In the AAA profile, what roles is the default 802.1x role set to?


  • 5.  RE: Question about role assignment for radius authenticated users.

    Posted Apr 21, 2014 01:17 PM

    default-dot1x is set to logon.



  • 6.  RE: Question about role assignment for radius authenticated users.

    EMPLOYEE
    Posted Apr 21, 2014 01:19 PM
    Type show "user table verbose" and it will say in one column which AAA profile is being used (expand your terminal to full size to see). This is just to make sire you are referring to the correct 802.1x profile.


  • 7.  RE: Question about role assignment for radius authenticated users.

    Posted Apr 21, 2014 01:27 PM

    In the auth column I see 802.1x and the Profile column shows the radius profile i created, but I have verified that logon is the role i have set for that AAA profile. However, the user roles are still guest.

     



  • 8.  RE: Question about role assignment for radius authenticated users.

    EMPLOYEE
    Posted Apr 21, 2014 01:55 PM

    Okay.  Do you have the policy enforcement firewall license installed?



  • 9.  RE: Question about role assignment for radius authenticated users.

    Posted Apr 21, 2014 02:21 PM

    We purchased and installed 1 PEF license before we realized we needed one for every ap. I removed the initial license.

     



  • 10.  RE: Question about role assignment for radius authenticated users.

    EMPLOYEE
    Posted Apr 21, 2014 02:22 PM
    If you do not have the PEF license every authenticated user will end up in the guest role.


  • 11.  RE: Question about role assignment for radius authenticated users.

    Posted Apr 21, 2014 02:28 PM

    Understood. If we want to have radius authenticated users and a guest wireless captive portal with limited bandwidth for the guest, do we have to have the PEF licenses? Or, will bandwidth limitations be set for authenticated users as well?



  • 12.  RE: Question about role assignment for radius authenticated users.
    Best Answer

    EMPLOYEE
    Posted Apr 21, 2014 02:31 PM
    PEF is required for differentiated roles and bandwidth contracts. Without PEF unauthenticated users and up in the logon role and authenticated ones end up in the guest role with no restrictions.