Wireless Access

Contributor II

Role derivation priority with 802.1X, Machine Auth and VSA


I have configured Server Role Derivation for 802.1X with enfroced machine authentication. I works fine for computers and users that are members of Microsoft domain, with role mapping based on returned by NPS standard attribute (not Aruba VSA).


But I have just a few MAC OSX laptops, that (from many reasons) are not members of domain (no machine account, only user&pass), and I would like to be able, also to map them on different role, after successful 802.1X authentiaction based on user & pass only (machine auth fail).


Will returning Aruba VSA attribute (Aruba-User-Role) take precedense and assign returned in VSA attribute role to a user on a MAC OSX that passed only user auth and failed machine auth, with Enforce Machine Authentication option enabled in a profile?

Guru Elite

Re: Role derivation priority with 802.1X, Machine Auth and VSA

When "Enforce machine authentication"is enabled in the controller, users will only get a server defined rule when both user and machine authentication has been passed. Users who only pass user or only pass machine only get the corresponding machine authentication or user authentication role configured in the Enforce machine authentication configuration; all other derivation or VSA is ignored. It is preferred to do machine enforcement with an external policy server like ClearPass, because the built in enforce machine authentication feature is less flexible and was built when there was not any external policy server that could do anything like that.

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
ArubaOS Consolidated Release Notes
Aruba VIA ASE Solution - Configure VIA VPN
Search Airheads
Showing results for 
Search instead for 
Did you mean: