Wireless Access

last person joined: 23 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

User Derivation Rules Priority

This thread has been viewed 6 times

  • 1.  User Derivation Rules Priority

    Posted Mar 06, 2012 12:50 PM

    I'm creating a User Derivation Rule that utilizes MAC and DHCP Fingerprinting.

     

    I'm redirecting the DHCP Fingerprinted devices to a Blocked-Device-Role but inevitably there will be one user who will have the political power to demand that their device is allowed access.

     

    Shouldn't I be able to create a macaddr/equals/their device's MAC Rule and nest it at the top (Priority 1) and link that to a Allow-Device-Role to give that device access to the wireless network?

     

    What I'm seeing in my test environment is that the most restrictive Rule takes precedence regardless of its priority.



  • 2.  RE: User Derivation Rules Priority

    EMPLOYEE
    Posted Mar 06, 2012 01:35 PM

    Remove the DHCP fingerprint rule and see if the mac address rule fires.  Maybe the mac rule has the wrong syntax or wrong mac address and never fires, as a result.

     



  • 3.  RE: User Derivation Rules Priority

    Posted Mar 19, 2012 03:47 PM

    Yes Colin, the MAC filter did work.



  • 4.  RE: User Derivation Rules Priority

    Posted Mar 06, 2012 01:44 PM

    In the user derivation roles, the DHCP-option rule has a higher priority than a user rule that uses MAC address. So when you define a DHCP-option based rule it always overrides the mac-based and other types of user role derivations. 

    Every time user does DHCP, DHCP finger printing will kick in and change the role for user; even though the user is already provisioned.

     

    Can you reverse the roles assigned to users based on mac-rule and that based on dhcp to ensure that it is not the most restrictive role that is always being applied.



  • 5.  RE: User Derivation Rules Priority

    Posted Mar 15, 2012 09:24 AM

    Thanks, I'll give it a shot and get back with the results.



  • 6.  RE: User Derivation Rules Priority

    Posted Mar 19, 2012 03:46 PM

    sathya, I've looked around the controller to "reverse the roles assigned to users based on mac-rule and that based on dhcp to ensure that it is not the most restrictive role that is always being applied" but I must be miss-reading your suggestion.

     

    Are you saying to create a "MAC Authentication Default Role" that allows access through it and MAC filtering and then add DHCP Fingerprinting to that Role? I don't see that option.



  • 7.  RE: User Derivation Rules Priority

    Posted May 14, 2012 03:16 PM

     

    Apparently whatever is the most restrictive Rule in the User Derivation Rules takes president over all. I've created an unrestricted DHCP-Fingerprinting Rule and a restrictive MAC Rule in the same "User Rules" and no matter if the restrictive is at the top of the list (higher priority) or the bottom (lower), it overrides the less restrictive.