Wireless Access

Frequent Contributor I

Roles and Access for different department

Hi All,


I received a request from my employeer that he want to create one SSID for employees (SSID=ABCDE), and based on the employee department we will give them access to different resources. 

For example:

Department-1: Computer Sciences->internet+Database Server Access

Department-2: Engineering-> Internet+Exchange Server Access


I think i will use Server Derivation Roles, can any one please explain me how i will do this.


Thanks in advance for help.

Re: Roles and Access for different department

What are you using for RADIUS server?

Get Outlook for iOS
Thank you

Victor Fabian
Lead Mobility Architect @WEI
Frequent Contributor II

Re: Roles and Access for different department

Khan Gulla,

This can be done is many ways depensing upon your RADIUS server. Do you have ClearPass? Is it integrated with AD?

If the provided solution resolves your issue, please mark it as accepted solution to help others.
Frequent Contributor I

Re: Roles and Access for different department

Thanks Jibran Bhai,


Jibran bhai i am doing authentication from AD. Yesterday i search the solution and i found the below stuff.


I am assming you are doing PEAP on your SSID, right?  If so, have your RADIUS server pass back an attribute that includes "Engineering", "Sales" or "IT" (based on group membership).  Then, setup your Server Derivation Rule (SDR) like this:


Attribute: Class (or whatever other RADIUS attribute you are passing back, but Class is a good one)

Operation: value-of

Type: string

Action: set role


What that means is that upon successful authenticaiton, the controller will take what ever the RADIUS server sends back in the Class attribute (or which ever attribute you selected) and use it as the role for that user.


If you have the Aruba dictionary loaded on your RADIUS server, you can pass back Aruba-User-Role and the controller will automatically use that value as the user role without having to create an SDR.



Jibran bhai what i understood from this post. When my user authenticate against AD, the AD will return some attributes and one of them is the group information. Let say i received the group "Finance",  now the further i don't understand what i will do. How i will associate firewall policy with the new role (finance).



Frequent Contributor I

Re: Roles and Access for different department

I resolved the problem. Thanks for help.

Search Airheads
Showing results for 
Search instead for 
Did you mean: